File name:

CRYPTO-wallet-Cracker.exe

Full analysis: https://app.any.run/tasks/9fefba38-d828-4854-8083-7721b8e63d28
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 26, 2024, 13:08:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
python
pyinstaller
crypto-regex
tnaket
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

140354A8509F90D76BC2975D5E6A7592

SHA1:

2FEF012D2C65A84664292B1D3C2A19B33D3A03EF

SHA256:

86A94F3507135A7147F15AF4D81094F0A486B722E4DF72D85FAC74E99380B17B

SSDEEP:

98304:9DZowErFrt0A2qzpZyB4tHfktEzafhOsE+XZ0Nya0TuqTA0PzRYqmh7vSRpl89+m:QGrmCM1boh11Xmts

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • temp_nik_zbi.exe (PID: 4252)
      • svchost.exe (PID: 5128)

    • Create files in the Startup directory

      • temp_nik_zbi.exe (PID: 4252)

    • Runs injected code in another process

      • svchost.exe (PID: 5128)

    • Application was injected by another process

      • explorer.exe (PID: 4552)

    • The DLL Hijacking

      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • temp_nik_zbi.exe (PID: 4252)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • The process drops C-runtime libraries

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Executable content was dropped or overwritten

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • svchost.exe (PID: 5128)
      • temp_nik_zbi.exe (PID: 4252)
      • explorer.exe (PID: 4552)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Process drops python dynamic module

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Process drops legitimate windows executable

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Application launched itself

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Loads Python modules

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • CA8C.tmp.nikzbi.exe (PID: 2628)

    • Potential Corporate Privacy Violation

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • explorer.exe (PID: 4552)
      • svchost.exe (PID: 5128)

    • Process requests binary or script from the Internet

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • explorer.exe (PID: 4552)

    • Connects to the server without a host name

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • explorer.exe (PID: 4552)

    • Loads DLL from Mozilla Firefox

      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Executes application which crashes

      • firefox.exe (PID: 6596)
      • firefox.exe (PID: 6152)

    • Found regular expressions for crypto-addresses (YARA)

      • svchost.exe (PID: 5128)

  • INFO

    • Checks supported languages

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • temp_nik_zbi.exe (PID: 4252)
      • CA8C.tmp.nikzbi.exe (PID: 2224)
      • CA8C.tmp.nikzbi.exe (PID: 2628)

    • Create files in a temporary directory

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • svchost.exe (PID: 5128)
      • explorer.exe (PID: 4552)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Reads the computer name

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • temp_nik_zbi.exe (PID: 4252)
      • CA8C.tmp.nikzbi.exe (PID: 2224)

    • Reads the machine GUID from the registry

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • CA8C.tmp.nikzbi.exe (PID: 2628)

    • Checks proxy server information

      • CRYPTO-wallet-Cracker.exe (PID: 5160)
      • svchost.exe (PID: 5128)
      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Creates files or folders in the user directory

      • temp_nik_zbi.exe (PID: 4252)
      • explorer.exe (PID: 4552)
      • WerFault.exe (PID: 4092)
      • WerFault.exe (PID: 7076)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 5128)
      • explorer.exe (PID: 4552)
      • Taskmgr.exe (PID: 2820)

    • PyInstaller has been detected (YARA)

      • CRYPTO-wallet-Cracker.exe (PID: 508)
      • CRYPTO-wallet-Cracker.exe (PID: 5160)

    • Application launched itself

      • firefox.exe (PID: 4364)
      • firefox.exe (PID: 6580)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 6580)

    • Reads the software policy settings

      • WerFault.exe (PID: 7076)
      • WerFault.exe (PID: 4092)

    • Changes appearance of the Explorer extensions

      • svchost.exe (PID: 5128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:25 14:46:41+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 173056
InitializedDataSize: 151040
UninitializedDataSize: -
EntryPoint: 0xb4d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
22
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start THREAT crypto-wallet-cracker.exe conhost.exe no specs THREAT crypto-wallet-cracker.exe temp_nik_zbi.exe THREAT svchost.exe explorer.exe ca8c.tmp.nikzbi.exe ca8c.tmp.nikzbi.exe no specs firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe werfault.exe werfault.exe taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
508"C:\Users\admin\AppData\Local\Temp\CRYPTO-wallet-Cracker.exe" C:\Users\admin\AppData\Local\Temp\CRYPTO-wallet-Cracker.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1073807364
Modules
Images
c:\users\admin\appdata\local\temp\crypto-wallet-cracker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
788"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6000 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5596 -prefsLen 31247 -prefMapSize 245487 -jsInitHandle 1360 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bf85147-dc9e-42ab-867f-9b23cda2b3f8} 6580 "\\.\pipe\gecko-crash-server-pipe.6580" 1336849b850 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1480\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCRYPTO-wallet-Cracker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 31255 -prefMapSize 245487 -jsInitHandle 1360 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15fae2aa-f2bd-4922-8ed1-e3df935f7055} 6580 "\\.\pipe\gecko-crash-server-pipe.6580" 1336849b310 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2224"C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exe" C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ca8c.tmp.nikzbi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2628"C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exe" C:\Users\admin\AppData\Local\Temp\CA8C.tmp.nikzbi.exeCA8C.tmp.nikzbi.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ca8c.tmp.nikzbi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2820"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3424"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240213221259 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 30580 -prefMapSize 245487 -appDir "C:\Program Files\Mozilla Firefox\browser" - {383175f2-6d9a-421f-9205-86950e518f64} 6580 "\\.\pipe\gecko-crash-server-pipe.6580" 1335dee3110 gpuC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4092C:\WINDOWS\system32\WerFault.exe -u -p 6596 -s 824C:\Windows\System32\WerFault.exe
firefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4252C:\Users\admin\AppData\Local\Temp\temp_nik_zbi.exeC:\Users\admin\AppData\Local\Temp\temp_nik_zbi.exe
CRYPTO-wallet-Cracker.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Services.exe
Exit code:
0
Version:
1.2.0.1
Modules
Images
c:\users\admin\appdata\local\temp\temp_nik_zbi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
37 139
Read events
35 046
Write events
2 083
Delete events
10

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E01E4
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4252) temp_nik_zbi.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Services
Value:
C:\Users\admin\AppData\Roaming\{2F33566DA0B91573532102}\{2F33566DA0B91573532102}.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Adobe
Value:
C:\Users\admin\AppData\Roaming\Adobe\Service_Adobe.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_com.adobe.dunamis
Value:
C:\Users\admin\AppData\Roaming\com.adobe.dunamis\Service_com.adobe.dunamis.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_FileZilla
Value:
C:\Users\admin\AppData\Roaming\FileZilla\Service_FileZilla.exe
(PID) Process:(5128) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Service_Macromedia
Value:
C:\Users\admin\AppData\Roaming\Macromedia\Service_Macromedia.exe
Executable files
120
Suspicious files
148
Text files
18
Unknown types
1

Dropped files

PID
Process
Filename
Type
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_bz2.pydexecutable
MD5:3DC8AF67E6EE06AF9EEC52FE985A7633
SHA256:C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\VCRUNTIME140.dllexecutable
MD5:0E675D4A7A5B7CCD69013386793F68EB
SHA256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_socket.pydexecutable
MD5:D6BAE4B430F349AB42553DC738699F0E
SHA256:587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:33BBECE432F8DA57F17BF2E396EBAA58
SHA256:7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_ctypes.pydexecutable
MD5:F1E33A8F6F91C2ED93DC5049DD50D7B8
SHA256:9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:EB0978A9213E7F6FDD63B2967F02D999
SHA256:AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_hashlib.pydexecutable
MD5:A6448BC5E5DA21A222DE164823ADD45C
SHA256:3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\_ssl.pydexecutable
MD5:8EE827F2FE931163F078ACDC97107B64
SHA256:EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
508CRYPTO-wallet-Cracker.exeC:\Users\admin\AppData\Local\Temp\_MEI5082\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:EFAD0EE0136532E8E8402770A64C71F9
SHA256:3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
66
DNS requests
73
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5160
CRYPTO-wallet-Cracker.exe
GET
200
176.111.174.140:80
http://176.111.174.140/nuke.exe
unknown
suspicious
6580
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6580
firefox.exe
POST
200
184.24.77.47:80
http://r11.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.47:80
http://r11.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.47:80
http://r11.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.79:80
http://r10.o.lencr.org/
unknown
unknown
6580
firefox.exe
POST
200
184.24.77.47:80
http://r11.o.lencr.org/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6192
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5160
CRYPTO-wallet-Cracker.exe
176.111.174.140:80
Chang Way Technologies Co. Limited
RU
malicious
5128
svchost.exe
176.111.174.140:80
Chang Way Technologies Co. Limited
RU
malicious
4552
explorer.exe
176.111.174.140:80
Chang Way Technologies Co. Limited
RU
malicious
2024
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2024
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.0
  • 40.126.31.71
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
spocs.getpocket.com
  • 34.117.188.166
whitelisted
example.org
  • 93.184.215.14
whitelisted

Threats

PID
Process
Class
Message
5160
CRYPTO-wallet-Cracker.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
5160
CRYPTO-wallet-Cracker.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
5160
CRYPTO-wallet-Cracker.exe
Misc activity
ET INFO Packed Executable Download
5160
CRYPTO-wallet-Cracker.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
5160
CRYPTO-wallet-Cracker.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5160
CRYPTO-wallet-Cracker.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5128
svchost.exe
A suspicious filename was detected
ET HUNTING Terse Named Filename EXE Download - Possibly Hostile
5128
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5128
svchost.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5128
svchost.exe
Misc activity
ET INFO EXE - Served Inline HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CRYPTO-wallet-Cracker.exe