Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1545804
MD5: 61162abf98861e7e3176df82d232523e
SHA1: 3f2eb1c68e088fccb1b33577dc5fbc491e29efd6
SHA256: e552849b11e4c38df89416fcee9110fdcdbba56b66ed3c18113c428e842de0f3
Tags: exeuser-Bitsight
Infos:

Detection

WhiteSnake Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected WhiteSnake Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: http://185.217.98.121:80 Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 15%
Source: file.exe Virustotal: Detection: 27% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.3% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: 00000000000000000400000000000000l.pdbbt. source: InstallUtil.exe, 00000001.00000002.2891001836.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1658517848.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1680094978.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1658517848.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1680094978.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002E01000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2891001836.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vlUtil.pdb source: InstallUtil.exe, 00000001.00000002.2891001836.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2890924169.00000000009F7000.00000004.00000010.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05FE9950
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05FE9948
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 05FE4C00h 0_2_05FE4B48
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 05FE4C00h 0_2_05FE4B40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0600D848
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0603B1B9h 0_2_0603AFD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0603B1B9h 0_2_0603AFC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0603AC41h 0_2_0603A850
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 0603AC41h 0_2_0603A860
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06153E77h 0_2_06153AD1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06153E77h 0_2_06153AE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp 06153E77h 0_2_06153BDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02B53382h 1_2_02B52CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02B533A5h 1_2_02B52CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 02B53382h 1_2_02B52CE8

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.file.exe.3a7ebe8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3a2ebc8.1.raw.unpack, type: UNPACKEDPE
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://101.126.19.171:80
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://101.43.160.136:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://107.161.20.142:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://116.202.101.219:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://129.151.109.160:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://132.145.17.167:9090
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.28.185.29:80
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://159.203.174.113:8090
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.235.70.96:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://168.138.211.88:8099
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://18.228.80.130:80
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.217.98.121:80
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.217.98.121:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.164.198.113:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.78.55.47:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://206.166.251.4:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://209.38.221.184:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://38.207.174.88:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://38.60.191.38:80
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://41.216.183.9:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://41.87.207.180:9090
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://46.235.26.83:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://47.96.78.224:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.159.4.50:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://65.49.205.24:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://67.230.176.97:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://8.216.92.21:8080
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://8.219.110.16:9999
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://8.222.143.111:8080
Source: file.exe String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: file.exe String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: file.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: file.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: file.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: file.exe String found in binary or memory: http://nsis.sf.net/License
Source: file.exe String found in binary or memory: http://nsis.sf.net/License)
Source: file.exe String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: file.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: file.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: file.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.1658517848.0000000002E13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: file.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: file.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: file.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: file.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://138.2.92.67:443
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://154.9.207.142:443
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://185.217.98.121:443
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://192.99.196.191:443
Source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2892476953.0000000002E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://5.196.181.135:443
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: file.exe String found in binary or memory: https://jrsoftware.org0
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.1658517848.0000000002A07000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: file.exe String found in binary or memory: https://www.certum.pl/CPS0

System Summary
barindex
.NET source code contains very large strings
Source: 0.2.file.exe.3d63e10.4.raw.unpack, bSqekn.cs Long String: Length: 11394
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE7F58 NtResumeThread, 0_2_05FE7F58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE6AD8 NtProtectVirtualMemory, 0_2_05FE6AD8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE7F50 NtResumeThread, 0_2_05FE7F50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE6AD0 NtProtectVirtualMemory, 0_2_05FE6AD0
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0120D348 0_2_0120D348
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_012094C1 0_2_012094C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_012094D0 0_2_012094D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01209AE8 0_2_01209AE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01209AF8 0_2_01209AF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE2DF8 0_2_05FE2DF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE3D40 0_2_05FE3D40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FEDCB8 0_2_05FEDCB8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FEEAE8 0_2_05FEEAE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FED768 0_2_05FED768
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE20EF 0_2_05FE20EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05FE6818 0_2_05FE6818
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06000028 0_2_06000028
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06000040 0_2_06000040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06027F40 0_2_06027F40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06028FB8 0_2_06028FB8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0602D5C8 0_2_0602D5C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0602C3C0 0_2_0602C3C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0602C6E7 0_2_0602C6E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06027F30 0_2_06027F30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06028FA8 0_2_06028FA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06020006 0_2_06020006
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06020040 0_2_06020040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0602806B 0_2_0602806B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0603BBA4 0_2_0603BBA4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0603BC43 0_2_0603BC43
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06037870 0_2_06037870
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0603C00B 0_2_0603C00B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06152540 0_2_06152540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0615AD40 0_2_0615AD40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0615B8C8 0_2_0615B8C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06152530 0_2_06152530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06152E90 0_2_06152E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06152E83 0_2_06152E83
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0615AA69 0_2_0615AA69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06153AD1 0_2_06153AD1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06153AE0 0_2_06153AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06153BDD 0_2_06153BDD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0629001D 0_2_0629001D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_062ADC70 0_2_062ADC70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06290040 0_2_06290040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02B51EF0 1_2_02B51EF0
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 1036
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.1657328530.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1658517848.0000000002E13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000002.1676055881.0000000003B67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKltdkxt.dll" vs file.exe
Source: file.exe, 00000000.00000002.1676055881.0000000003B67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamem65fad4c5a45e6e95b83ca9.exep( vs file.exe
Source: file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs file.exe
Source: file.exe, 00000000.00000002.1658517848.0000000002A07000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamem65fad4c5a45e6e95b83ca9.exep( vs file.exe
Source: file.exe, 00000000.00000002.1678345333.0000000005230000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKltdkxt.dll" vs file.exe
Source: file.exe, 00000000.00000002.1658517848.00000000029A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1680094978.0000000006180000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs file.exe
Source: file.exe, 00000000.00000000.1647730037.00000000006FE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameinnoinstaller.exe* vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameinnoinstaller.exe* vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe, PolicyReaderCollection.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, PolicyReaderCollection.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, Pm9eLOtOt5hjuqFklEr.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, Pm9eLOtOt5hjuqFklEr.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, Pm9eLOtOt5hjuqFklEr.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, Pm9eLOtOt5hjuqFklEr.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, DefinitionParamSpec.cs Task registration methods: 'RegisterTask', 'CreateTask'
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.3d63e10.4.raw.unpack, jEHltQ.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.3d63e10.4.raw.unpack, jEHltQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.file.exe.3d63e10.4.raw.unpack, p5r7.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/1@0/0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:64:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Temp\helloworld.txt Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 15%
Source: file.exe Virustotal: Detection: 27%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 1036
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 1341360 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13a800
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: 00000000000000000400000000000000l.pdbbt. source: InstallUtil.exe, 00000001.00000002.2891001836.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1658517848.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1680094978.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1658517848.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1680094978.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002E01000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1679652542.0000000005F80000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2892476953.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2891001836.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vlUtil.pdb source: InstallUtil.exe, 00000001.00000002.2891001836.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2890924169.00000000009F7000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.file.exe.3c743f0.3.raw.unpack, Pm9eLOtOt5hjuqFklEr.cs .Net Code: Type.GetTypeFromHandle(cfW0J2GQEJ83yHlLbZf.k5tP7nukMm(16777347)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(cfW0J2GQEJ83yHlLbZf.k5tP7nukMm(16777252)),Type.GetTypeFromHandle(cfW0J2GQEJ83yHlLbZf.k5tP7nukMm(16777284))})
.NET source code contains potential unpacker
Source: file.exe, PolicyReaderCollection.cs .Net Code: ReadAlgo System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.file.exe.3a2ebc8.1.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.file.exe.5830000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1679122389.0000000005830000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1658517848.0000000002A07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0602A752 pushfd ; retf 0_2_0602A755
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_060235F2 push ecx; retf 0_2_060235F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0603F938 push esp; retf 0_2_0603F941
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0615D67A push es; ret 0_2_0615D680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0615D68D push es; ret 0_2_0615D6BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0615D712 push ebx; ret 0_2_0615D719
Source: file.exe Static PE information: section name: .text entropy: 7.708988508924863
Source: 0.2.file.exe.3c743f0.3.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'aAgiWrkKuSAyGyCF89d'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, cfW0J2GQEJ83yHlLbZf.cs High entropy of concatenated method names: 'k5tP7nukMm', 'ErbPTky723', 'w0ecS5jIiZp9RGZPF1w', 'hy7XZvjr8nYsQLYZOOm', 'eAU15sj62qdP9odiLvp', 'CH0wlnjdJsqZWLLR2xT'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, GDNIACGsPZCXo8eS7HU.cs High entropy of concatenated method names: 'WO6GSn2u1s', 'tRyGZ1JHIR', 'W4JGFUHux1', 'kP6GVkhGdn', 'HbxG8gxYNd', 'wVtG1itEJU', 'UpTGvPeoPX', 'KPjGxltDdg', 'xucG2mWGoA', 'jjkGwD3Ube'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, wNjgIHGzlm3qoHc9aTC.cs High entropy of concatenated method names: 'Md1CbAqgtn', 'JLTCNNFUne', 'rlfC5jU2Wd', 'k4MCAChPKu', 'naVC3X2wju', 'tleCearIp6', 'pJjCUmNHbK', 'fNjoqx8M0y', 'zpaCfnNwaS', 'sdgCQsqRQi'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, Pm9eLOtOt5hjuqFklEr.cs High entropy of concatenated method names: 'eXXHn4kZDPx4c21GRvU', 'wg7KZJkFhZJdRLjMKYN', 'zYvGGh2Lhd', 'qGYsjxkvJdgJ5wLtgiQ', 'WJKCVVkxRMXqNcFmu4d', 'x3kyNqk2A1PlZQUUSuL', 'LGRdiMkw1uxqZTMTuBq', 'Wyukt7kzODXxPFxru1n', 'LttX0ijm28vVHKTqfAh', 'H253lwjpDGUdk7BKPKr'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, NZZSFPYQcuciEMGwg1p.cs High entropy of concatenated method names: 'XksYgED2uc', 'AZTYusKyX6', 'WPwYOwi3uS', 'aYMYsXWeW0', 'FvkYROJcfS', 'jKNpias7NJJytHHUZR8', 'yvDGqUsTquSGeAvQrkO', 'Lr6GccsCe0wSyBcoosk', 'YjZDQysLRet96xPuVP9', 'O5fmF6sIjhf16ZiwdWg'
Source: 0.2.file.exe.3c743f0.3.raw.unpack, B2nHmqtTsx3u1WUddO2.cs High entropy of concatenated method names: 'l5OtLYDnQ7', 'zYktIDmy5q', 'AZAIV9hh8KJRQPPpxBN', 'gqBvA5hkgorS0spXMFK', 'yOGiOohjPFdAdhPL1LT', 'hPxUqOhXH8WDW9yriKc', 'aHpqLEhWpVm2DXdPOWT', 'XaTv9QhBVswtu1GZxmr', 'CJ9JCnhcE5EBWuD5Y8k', 'NrVdjXhPLkirjwP53kE'
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: file.exe, 00000000.00000002.1658517848.0000000002A07000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE|VIRTUAL|A M I|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT|VMWARE|VIRTUALXJOHNYANNAZXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 1200000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 29A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 49A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 11C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 11C0000 memory reserve | memory write watch Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: file.exe, 00000000.00000002.1676055881.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1676055881.0000000003B67000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.2890672066.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: qemu'
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: crosoft|VMWare|Virtual
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtualh
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: file.exe, 00000000.00000002.1658517848.0000000002A07000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware|VIRTUAL|A M I|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft|VMWare|VirtualXjohnYannaZxxxxxxxx
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:Microsoft|VMWare|Virtual
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR^q|
Source: file.exe, 00000000.00000002.1658517848.0000000002D67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02B539E9 LdrInitializeThunk, 1_2_02B539E9
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.file.exe.3d63e10.4.raw.unpack, kQGy9H.cs Reference to suspicious API methods: GetProcAddress(n2SW, kP2z8m)
Source: 0.2.file.exe.3d63e10.4.raw.unpack, jCb3L.cs Reference to suspicious API methods: OpenProcess(1040u, bInheritHandle: false, xM92h5.Id)
Source: 0.2.file.exe.3d63e10.4.raw.unpack, jCb3L.cs Reference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)
Source: 0.2.file.exe.3a7ebe8.5.raw.unpack, ResourceReferenceValue.cs Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 428000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42A000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: BD5008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected WhiteSnake Stealer
Source: Yara match File source: 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6392, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.
Source: InstallUtil.exe, 00000001.00000002.2892476953.00000000031CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: s\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string></args></command><command name="3"><args><string>Ronin</string><string>fnjhmkhhmkbjkkabndcnnogagogbneec</string></args></command><command name="3"><args><string>BinanceChain</string><string>fhbohimaelbohpjbbldcngcnapndodjp</string></args></command><command name="3"><args><string>TronLink</string><string>ibnejdfjmmkpcnlpebklmnkoeoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.
Source: file.exe, 00000000.00000002.1676055881.0000000003B67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore

Remote Access Functionality
barindex
Yara detected WhiteSnake Stealer
Source: Yara match File source: 00000001.00000002.2892476953.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6392, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545804 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 15 Multi AV Scanner detection for domain / URL 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 10 other signatures 2->21 7 file.exe 2 2->7         started        process3 signatures4 23 Found many strings related to Crypto-Wallets (likely being stolen) 7->23 25 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->25 27 Writes to foreign memory regions 7->27 29 Injects a PE file into a foreign processes 7->29 10 InstallUtil.exe 3 7->10         started        process5 signatures6 31 Found many strings related to Crypto-Wallets (likely being stolen) 10->31 13 WerFault.exe 4 10->13         started        process7
No contacted IP infos