File name:

CRYPTO-wallet-Cracker.exe

Full analysis: https://app.any.run/tasks/9fefba38-d828-4854-8083-7721b8e63d28
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 26, 2024, 13:08:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
python
pyinstaller
crypto-regex
tnaket
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

140354A8509F90D76BC2975D5E6A7592

SHA1:

2FEF012D2C65A84664292B1D3C2A19B33D3A03EF

SHA256:

86A94F3507135A7147F15AF4D81094F0A486B722E4DF72D85FAC74E99380B17B

SSDEEP:

98304:9DZowErFrt0A2qzpZyB4tHfktEzafhOsE+XZ0Nya0TuqTA0PzRYqmh7vSRpl89+m:QGrmCM1boh11Xmts

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • temp_nik_zbi.exe (PID: 4252)
      • svchost.exe (PID: 5128)

    • Create files in the Startup directory

      • temp_nik_zbi.exe (PID: 4252)

    • Runs injected code in another process

      • svchost.exe (PID: 5128)

    • Application was injected by another process

      • explorer.exe (PID: 4552)

    • The DLL Hijacking

      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • temp_nik_zbi.exe (PID: 4252)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Process drops legitimate windows executable

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Executable content was dropped or overwritten

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • temp_nik_zbi.exe (PID: 4252)
      • svchost.exe (PID: 5128)
      • CA8C.tmp.nikzbi.exe (PID: 2224)
      • explorer.exe (PID: 4552)

    • Application launched itself

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Loads Python modules

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • CA8C.tmp.nikzbi.exe (PID: 2628)

    • Process drops python dynamic module

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • The process drops C-runtime libraries

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Potential Corporate Privacy Violation

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • svchost.exe (PID: 5128)
      • explorer.exe (PID: 4552)

    • Process requests binary or script from the Internet

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • explorer.exe (PID: 4552)

    • Connects to the server without a host name

      • explorer.exe (PID: 4552)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)

    • Executes application which crashes

      • firefox.exe (PID: 6596)
      • firefox.exe (PID: 6152)

    • Loads DLL from Mozilla Firefox

      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Found regular expressions for crypto-addresses (YARA)

      • svchost.exe (PID: 5128)

  • INFO

    • Create files in a temporary directory

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • svchost.exe (PID: 5128)
      • explorer.exe (PID: 4552)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Reads the machine GUID from the registry

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • CA8C.tmp.nikzbi.exe (PID: 2628)

    • Reads the computer name

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • temp_nik_zbi.exe (PID: 4252)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Checks supported languages

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • temp_nik_zbi.exe (PID: 4252)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • CA8C.tmp.nikzbi.exe (PID: 2224)
      • CA8C.tmp.nikzbi.exe (PID: 2628)

    • Creates files or folders in the user directory

      • temp_nik_zbi.exe (PID: 4252)
      • explorer.exe (PID: 4552)
      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Checks proxy server information

      • svchost.exe (PID: 5128)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 5128)
      • explorer.exe (PID: 4552)
      • Taskmgr.exe (PID: 2820)

    • PyInstaller has been detected (YARA)

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)

    • Application launched itself

      • firefox.exe (PID: 6580)
      • firefox.exe (PID: 4364)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 6580)

    • Reads the software policy settings

      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 5128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:25 14:46:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 173056
InitializedDataSize: 151040
UninitializedDataSize: -
EntryPoint: 0xb4d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
22
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start THREAT crypto-wallet-cracker.exe conhost.exe no specs THREAT crypto-wallet-cracker.exe temp_nik_zbi.exe THREAT svchost.exe explorer.exe ca8c.tmp.nikzbi.exe ca8c.tmp.nikzbi.exe no specs firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe werfault.exe werfault.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\Users\admin\AppData\Local\Temp\CRYPTO-wallet-Cracker.exe" C:\Users\admin\AppData\Local\Temp\CRYPTO-wallet-Cracker.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1073807364
Modules
Images
c:\users\admin\appdata\local\temp\crypto-wallet-cracker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
788"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6000 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5596 -prefsLen 31247 -prefMapSize 245487 -jsInitHandle 1360 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bf85147-dc9e-42ab-867f-9b23cda2b3f8} 6580 "\\.\pipe\gecko-crash-server-pipe.6580" 1336849b850 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1480\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCRYPTO-wallet-Cracker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 31255 -prefMapSize 245487 -jsInitHandle 1360 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15fae2aa-f2bd-4922-8ed1-e3df935f7055} 6580 "\\.\pipe\gecko-crash-server-pipe.6580" 1336849b310 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2224"C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exe" C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ca8c.tmp.nikzbi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2628"C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exe" C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exeCA8C.tmp.nikzbi.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ca8c.tmp.nikzbi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2820"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3424"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240213221259 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 30580 -prefMapSize 245487 -appDir "C:\Program Files\Mozilla Firefox\browser" - {383175f2-6d9a-421f-9205-86950e518f64} 6580 "\\.\pipe\gecko-crash-server-pipe.6580" 1335dee3110 gpuC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4092C:\WINDOWS\system32\WerFault.exe -u -p 6596 -s 824C:\Windows\System32\WerFault.exe
firefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4252C:\Users\admin\AppData\Local\Temp\temp_nik_zbi.exeC:\Users\admin\AppData\Local\Temp\temp_nik_zbi.exe
CRYPTO-wallet-Cracker.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Services.exe
Exit code:
0
Version:
1.2.0.1
Modules
Images
c:\users\admin\appdata\local\temp\temp_nik_zbi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
37 139
Read events
35 046
Write events
2 083
Delete events
10

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E01E4
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4252) temp_nik_zbi.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Services
Value:
C:\Users\admin\AppData\Roaming\{2F33566DA0B91573532102}\{2F33566DA0B91573532102}.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Adobe
Value:
C:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_com.adobe.dunamis
Value:
C:\Users\admin\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_FileZilla
Value:
C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Macromedia
Value:
C:\Users\admin\AppData\Roaming\Macromedia\Service_Macromedia.exe
Executable files
120
Suspicious files
148
Text files
18
Unknown types
1

Dropped files

PID
Process
Filename
Type
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:BFFFA7117FD9B1622C66D949BAC3F1D7
SHA256:1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_ssl.pydexecutable
MD5:8EE827F2FE931163F078ACDC97107B64
SHA256:EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_hashlib.pydexecutable
MD5:A6448BC5E5DA21A222DE164823ADD45C
SHA256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_lzma.pydexecutable
MD5:37057C92F50391D0751F2C1D7AD25B02
SHA256:9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_ctypes.pydexecutable
MD5:F1E33A8F6F91C2ED93DC5049DD50D7B8
SHA256:9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:EB0978A9213E7F6FDD63B2967F02D999
SHA256:AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:EFAD0EE0136532E8E8402770A64C71F9
SHA256:3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:1C58526D681EFE507DEB8F1935C75487
SHA256:EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
66
DNS requests
73
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5128
svchost.exe
GET
200
176.111.174.140:80
http://176.111.174.140/vvTBswN.php
unknown
suspicious
5160
CRYPTO-wallet-Cracker.exe
GET
200
176.111.174.140:80
http://176.111.174.140/nuke.exe
unknown
suspicious
5128
svchost.exe
GET
200
176.111.174.140:80
http://176.111.174.140/api/update.pack
unknown
suspicious
5128
svchost.exe
GET
200
176.111.174.140:80
http://176.111.174.140/api/update2.pack
unknown
suspicious
4552
explorer.exe
POST
200
176.111.174.140:80
http://176.111.174.140/api.php?{2F33566DA0B91573532102}
unknown
unknown
4552
explorer.exe
POST
200
176.111.174.140:80
http://176.111.174.140/api.php?{2F33566DA0B91573532102}
unknown
suspicious
4552
explorer.exe
POST
200
176.111.174.140:80
http://176.111.174.140/api.php?{2F33566DA0B91573532102}
unknown
unknown
2024
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4552
explorer.exe
GET
200
176.111.174.140:80
http://176.111.174.140/nikzbi.exe
unknown
suspicious
6580
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6192
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5160
CRYPTO-wallet-Cracker.exe
176.111.174.140:80
Chang Way Technologies Co. Limited
RU
malicious
5128
svchost.exe
176.111.174.140:80
Chang Way Technologies Co. Limited
RU
malicious
4552
explorer.exe
176.111.174.140:80
Chang Way Technologies Co. Limited
RU
malicious
2024
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2024
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.0
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
spocs.getpocket.com
  • 34.117.188.166
whitelisted
example.org
  • 93.184.215.14
whitelisted

Threats

PID
Process
Class
Message
5160
CRYPTO-wallet-Cracker.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
5160
CRYPTO-wallet-Cracker.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
5160
CRYPTO-wallet-Cracker.exe
Misc activity
ET INFO Packed Executable Download
5160
CRYPTO-wallet-Cracker.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
5160
CRYPTO-wallet-Cracker.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5160
CRYPTO-wallet-Cracker.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5128
svchost.exe
A suspicious filename was detected
ET HUNTING Terse Named Filename EXE Download - Possibly Hostile
5128
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5128
svchost.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5128
svchost.exe
Misc activity
ET INFO EXE - Served Inline HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CRYPTO-wallet-Cracker.exe