File name:

FindWalletv3.2-Crack.exe

Full analysis: https://app.any.run/tasks/95d552d3-fe0b-4b81-992b-c435716e0ca6
Verdict: Malicious activity
Analysis date: October 25, 2024, 06:51:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
telegram
ims-api
generic
neshta
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

A5AAD19F2467992040DCE284A1D34016

SHA1:

9BF000680F2870272BA9F0403CA4DC526FB7C16C

SHA256:

6131F59ADE95F5AAF4F78C1CBD31F033AE508BAE3418D30AD9B7E35E3F96BEB6

SSDEEP:

49152:9TwBSjTSeRF5peaNgnqwLO8bZWPfehRJ3RJ3vM/oPVy+aZ2qMlXAjmEDGk0DYr6R:xwBSvSeBfgqwrJvMoPdZN9ixy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • FindWalletv3.2-Crack.exe (PID: 6464)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Mutex name with non-standard characters

      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Executable content was dropped or overwritten

      • FindWalletv3.2-Crack.exe (PID: 612)
      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Checks for external IP

      • svchost.exe (PID: 2172)
      • Client.exe (PID: 6256)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Client.exe (PID: 6256)

    • Potential Corporate Privacy Violation

      • Client.exe (PID: 6256)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Client.exe (PID: 6256)

    • Starts a Microsoft application from unusual location

      • FileCoAuth.exe (PID: 6024)

  • INFO

    • The process uses the downloaded file

      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Checks supported languages

      • FindWalletv3.2-Crack.exe (PID: 6464)
      • FindWalletv3.2-Crack.exe (PID: 612)

    • Reads the computer name

      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Create files in a temporary directory

      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Process checks computer location settings

      • FindWalletv3.2-Crack.exe (PID: 6464)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2172)
      • Client.exe (PID: 6256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (85.5)
.exe | Win32 Executable Delphi generic (4.6)
.scr | Windows screen saver (4.2)
.dll | Win32 Dynamic Link Library (generic) (2.1)
.exe | Win32 Executable (generic) (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #NESHTA findwalletv3.2-crack.exe findwalletv3.2-crack.exe THREAT client.exe find wallet v3.2-crack.exe no specs svchost.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
612"C:\Users\admin\AppData\Local\Temp\3582-490\FindWalletv3.2-Crack.exe" C:\Users\admin\AppData\Local\Temp\3582-490\FindWalletv3.2-Crack.exe
FindWalletv3.2-Crack.exe
User:
admin
Company:
bitter
Integrity Level:
MEDIUM
Description:
sissyaccomplice
Exit code:
0
Version:
4.6.11.32
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\findwalletv3.2-crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2172C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6024"C:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exe" -EmbeddingC:\Users\admin\AppData\Local\Temp\3582-490\FileCoAuth.exeFileCoAuth.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6256"C:\Users\admin\AppData\Roaming\Client.exe" C:\Users\admin\AppData\Roaming\Client.exe
FindWalletv3.2-Crack.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RL
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6464"C:\Users\admin\Desktop\FindWalletv3.2-Crack.exe" C:\Users\admin\Desktop\FindWalletv3.2-Crack.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\findwalletv3.2-crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6692"C:\Users\admin\AppData\Roaming\Find Wallet v3.2-Crack.exe" C:\Users\admin\AppData\Roaming\Find Wallet v3.2-Crack.exeFindWalletv3.2-Crack.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Find-Wallet
Version:
3.2
Modules
Images
c:\users\admin\appdata\roaming\find wallet v3.2-crack.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
7 496
Read events
7 481
Write events
15
Delete events
0

Modification events

(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6256) Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Client_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
10
Suspicious files
15
Text files
36
Unknown types
1

Dropped files

PID
Process
Filename
Type
6256Client.exeC:\Users\admin\AppData\Local\Temp\places.raw
MD5:
SHA256:
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\Browsers\Outlook\Outlook.txttext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
6464FindWalletv3.2-Crack.exeC:\Users\admin\AppData\Local\Temp\3582-490\FindWalletv3.2-Crack.exeexecutable
MD5:68F929DC1286BF7AF65BF056845F9B42
SHA256:0D20648267D3004BA95B04F9EF01F3F6E40644B46773990807C2741ADBDD3D82
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\FileGrabber\Desktop\desktop.initext
MD5:9E36CC3537EE9EE1E3B10FA4E761045B
SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\FileGrabber\Desktop\jackv.rtftext
MD5:503D503AD047F39C9A45B6F714ACF7C3
SHA256:897D3DDBEC592E9CD1F07C51E59C1338748D1F271CB7F098E1103CE13EFCC344
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\FileGrabber\Desktop\stringdr.pngimage
MD5:314BF3A35743AD7CF9E45C8B04F1CD74
SHA256:92BBEE9DF899C200D255A314A14FE485FE9DB5E952E894510D870D3E672BB92A
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\FileGrabber\Desktop\augustmonth.rtftext
MD5:559613DD338FD064C950FCD8BD8B3D0A
SHA256:7CDB1CF6302DAA5AACA30BFCBF087EBCB19BDB25DCAEC319C64447DCF21A6BCA
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\FileGrabber\Documents\azmonths.rtftext
MD5:45C78100499E2EECD6DCA93747F551FC
SHA256:7EF0DDE4BB2BB883450489B3F3CD73B9A9F0ABD3AE7AB1D4ED0A174D12030F56
6256Client.exeC:\Users\admin\AppData\Roaming\DESKTOP-JGLLJLD\FileGrabber\Documents\anyfeatures.rtftext
MD5:F03AEAEA18F11F1639958341FAE9486B
SHA256:A78C9E3E253C8F7DC3F6D8FDFF940EE998A420F500FD6966C2DFC9EB90798F60
612FindWalletv3.2-Crack.exeC:\Users\admin\AppData\Roaming\Find Wallet v3.2-Crack.exeexecutable
MD5:C309CB9865DFC6DBB7F977F4C0F722C0
SHA256:51472E512316807270D85560BF6E3030355007C36A4F74D59A286411BB5378B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
37
DNS requests
13
Threats
55

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1248
RUXIMICS.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1248
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6256
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
shared
6256
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
shared
6256
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
shared
6256
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
shared
GET
301
172.67.209.71:443
https://freegeoip.app/xml/
unknown
html
167 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1248
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1248
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1248
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 52.140.118.28
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
dl.dropboxusercontent.com
  • 162.125.66.15
shared
freegeoip.app
  • 188.114.97.3
  • 188.114.96.3
whitelisted
ipbase.com
  • 172.67.209.71
  • 104.21.85.189
unknown
api.ipify.org
  • 104.26.12.205
  • 172.67.74.152
  • 104.26.13.205
shared
ip-api.com
  • 208.95.112.1
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
2172
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
6256
Client.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6256
Client.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
17 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FindWalletv3.2-Crack.exe