Malware analysis crackingcity.com Malicious activity | ANY.RUN

Add for printing

URL:	crackingcity.com
Full analysis:	https://app.any.run/tasks/ec50638d-0958-4800-9f44-b7c0270f6d43
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 07, 2024, 23:46:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer
Indicators:
MD5:	FCE1C7DD002E2D6AEB3D7A230A3F18EA
SHA1:	AB3ACBD63074081EADB867648AABA2892FDB7389
SHA256:	B481A680305FA00D0B5CCD972EAA8E55D2E7B6ADAD648A47BE5C74A6EB9FCBCE
SSDEEP:	3:oLF8Tn:x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
  - Uninstall.exe (PID: 8040)
  - IDMan.exe (PID: 8188)
  - IDMan.exe (PID: 1108)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 7308)
  - IDMan.exe (PID: 7352)
- Starts NET.EXE for service management
  - Uninstall.exe (PID: 8040)
  - net.exe (PID: 6564)
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 2136)
- Adds process to the Windows Defender exclusion list
  - cmd.exe (PID: 2136)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2136)
- Actions looks like stealing of personal data
  - IDMan.exe (PID: 1108)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6948)
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
  - Uninstall.exe (PID: 8040)
  - IDMan.exe (PID: 8188)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 3660)
  - IDMan.exe (PID: 752)
- Application launched itself
  - WinRAR.exe (PID: 6948)
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 208)
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 6500)
- Starts application with an unusual extension
  - idman642build20.exe (PID: 3176)
- The process creates files with name similar to system file names
  - IDM1.tmp (PID: 32)
  - 7za.exe (PID: 6264)
- Creates/Modifies COM task schedule object
  - IDM1.tmp (PID: 32)
  - regsvr32.exe (PID: 6672)
  - regsvr32.exe (PID: 4276)
  - regsvr32.exe (PID: 7324)
  - IDMan.exe (PID: 7352)
  - regsvr32.exe (PID: 7700)
  - regsvr32.exe (PID: 7824)
  - regsvr32.exe (PID: 8132)
  - regsvr32.exe (PID: 8128)
  - regsvr32.exe (PID: 6900)
  - IDMan.exe (PID: 1108)
  - IDMIntegrator64.exe (PID: 8100)
  - regsvr32.exe (PID: 6128)
  - regsvr32.exe (PID: 7044)
  - regsvr32.exe (PID: 5344)
  - regsvr32.exe (PID: 5160)
- Creates a software uninstall entry
  - IDM1.tmp (PID: 32)
- Checks Windows Trust Settings
  - IDMan.exe (PID: 7352)
  - drvinst.exe (PID: 6160)
  - IDMan.exe (PID: 8188)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 8128)
  - IDMan.exe (PID: 3660)
  - IDMan.exe (PID: 752)
- Executable content was dropped or overwritten
  - IDMan.exe (PID: 7352)
  - rundll32.exe (PID: 7308)
  - drvinst.exe (PID: 6160)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - 7za.exe (PID: 6720)
  - 7za.exe (PID: 6264)
- Uses RUNDLL32.EXE to load library
  - Uninstall.exe (PID: 8040)
- Drops a system driver (possible attempt to evade defenses)
  - rundll32.exe (PID: 7308)
  - drvinst.exe (PID: 6160)
  - 7za.exe (PID: 6264)
- Creates files in the driver directory
  - drvinst.exe (PID: 6160)
- Creates or modifies Windows services
  - drvinst.exe (PID: 7360)
  - Uninstall.exe (PID: 8040)
- Drops 7-zip archiver for unpacking
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
- Starts CMD.EXE for commands execution
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - cmd.exe (PID: 3412)
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 208)
  - powershell.exe (PID: 940)
  - cmd.exe (PID: 6500)
  - cmd.exe (PID: 6276)
- Executing commands from a ".bat" file
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - cmd.exe (PID: 3412)
  - powershell.exe (PID: 940)
- The executable file from the user directory is run by the CMD process
  - 7za.exe (PID: 7912)
  - 7za.exe (PID: 7216)
  - 7za.exe (PID: 8080)
  - 7za.exe (PID: 8060)
  - 7za.exe (PID: 6720)
  - 7za.exe (PID: 6264)
  - NSudo86x.exe (PID: 7284)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 8168)
  - cmd.exe (PID: 2136)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 2136)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 7360)
  - conhost.exe (PID: 7340)
  - cmd.exe (PID: 2136)
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 6212)
  - cmd.exe (PID: 1172)
  - cmd.exe (PID: 4732)
- Detected use of alternative data streams (AltDS)
  - powershell.exe (PID: 7008)
- Probably obfuscated PowerShell command line is found
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 4732)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 6276)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 6276)
- Starts SC.EXE for service management
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 6276)
- Script adds exclusion process to Windows Defender
  - cmd.exe (PID: 2136)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 5556)
  - cmd.exe (PID: 7648)
- Hides command output
  - cmd.exe (PID: 5556)
  - cmd.exe (PID: 6212)
  - cmd.exe (PID: 6292)
  - cmd.exe (PID: 7648)
  - cmd.exe (PID: 4732)
- Request a resource from the Internet using PowerShell's cmdlet
  - cmd.exe (PID: 2136)
- Process drops legitimate windows executable
  - 7za.exe (PID: 6264)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 6276)
- Get information on the list of running processes
  - cmd.exe (PID: 6276)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 6276)
INFO
- Application launched itself
  - firefox.exe (PID: 3244)
  - firefox.exe (PID: 5104)
  - firefox.exe (PID: 1440)
  - msedge.exe (PID: 4076)
  - msedge.exe (PID: 7316)
  - msedge.exe (PID: 888)
- Executable content was dropped or overwritten
  - firefox.exe (PID: 5104)
  - WinRAR.exe (PID: 6948)
  - WinRAR.exe (PID: 3716)
- The process uses the downloaded file
  - WinRAR.exe (PID: 6948)
  - firefox.exe (PID: 5104)
  - WinRAR.exe (PID: 3716)
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
  - Uninstall.exe (PID: 8040)
  - runonce.exe (PID: 5732)
  - IDMan.exe (PID: 8188)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - powershell.exe (PID: 8124)
  - powershell.exe (PID: 7600)
  - powershell.exe (PID: 6168)
  - powershell.exe (PID: 6644)
  - IDMan.exe (PID: 1108)
- Manual execution by a user
  - WinRAR.exe (PID: 6948)
  - idman642build20.exe (PID: 3548)
  - idman642build20.exe (PID: 3176)
  - firefox.exe (PID: 1440)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 6868)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - msedge.exe (PID: 4076)
- Checks supported languages
  - idman642build20.exe (PID: 3176)
  - IDM1.tmp (PID: 32)
  - idmBroker.exe (PID: 1164)
  - IDMan.exe (PID: 7352)
  - Uninstall.exe (PID: 8040)
  - drvinst.exe (PID: 6160)
  - drvinst.exe (PID: 7360)
  - MediumILStart.exe (PID: 6776)
  - IDMan.exe (PID: 8188)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - 7za.exe (PID: 7912)
  - 7za.exe (PID: 7216)
  - 7za.exe (PID: 6720)
  - 7za.exe (PID: 8080)
  - 7za.exe (PID: 8060)
  - mode.com (PID: 5144)
  - 7za.exe (PID: 6264)
  - mode.com (PID: 4316)
  - IDMIntegrator64.exe (PID: 8100)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 752)
  - NSudo86x.exe (PID: 7284)
  - IDMan.exe (PID: 8128)
  - IDMan.exe (PID: 3660)
  - identity_helper.exe (PID: 7700)
  - identity_helper.exe (PID: 5816)
- Create files in a temporary directory
  - idman642build20.exe (PID: 3176)
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
  - rundll32.exe (PID: 7308)
  - IDMan.exe (PID: 8188)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - 7za.exe (PID: 7912)
  - 7za.exe (PID: 7216)
  - 7za.exe (PID: 6720)
  - reg.exe (PID: 8048)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 8128)
- Reads the computer name
  - IDM1.tmp (PID: 32)
  - idman642build20.exe (PID: 3176)
  - idmBroker.exe (PID: 1164)
  - IDMan.exe (PID: 7352)
  - Uninstall.exe (PID: 8040)
  - drvinst.exe (PID: 6160)
  - drvinst.exe (PID: 7360)
  - IDMan.exe (PID: 8188)
  - MediumILStart.exe (PID: 6776)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - 7za.exe (PID: 7912)
  - 7za.exe (PID: 7216)
  - 7za.exe (PID: 6720)
  - 7za.exe (PID: 8080)
  - 7za.exe (PID: 8060)
  - 7za.exe (PID: 6264)
  - IDMan.exe (PID: 1108)
  - IDMIntegrator64.exe (PID: 8100)
  - IDMan.exe (PID: 3660)
  - NSudo86x.exe (PID: 7284)
  - IDMan.exe (PID: 8128)
  - IDMan.exe (PID: 752)
  - identity_helper.exe (PID: 5816)
  - identity_helper.exe (PID: 7700)
- Reads the machine GUID from the registry
  - IDMan.exe (PID: 7352)
  - drvinst.exe (PID: 6160)
  - IDMan.exe (PID: 8188)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 3660)
  - IDMan.exe (PID: 752)
  - IDMan.exe (PID: 8128)
- Creates files or folders in the user directory
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
  - 7za.exe (PID: 6264)
  - IDMan.exe (PID: 1108)
- Process checks computer location settings
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
  - Uninstall.exe (PID: 8040)
  - IDMan.exe (PID: 8188)
  - IDM 6.xx Activator or Resetter v3.3.exe (PID: 2576)
  - IDMan.exe (PID: 1108)
- Reads the software policy settings
  - IDMan.exe (PID: 7352)
  - drvinst.exe (PID: 6160)
  - IDMan.exe (PID: 8188)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 3660)
  - IDMan.exe (PID: 752)
  - IDMan.exe (PID: 8128)
- Creates files in the program directory
  - IDM1.tmp (PID: 32)
  - IDMan.exe (PID: 7352)
- Disables trace logs
  - IDMan.exe (PID: 7352)
  - IDMan.exe (PID: 8188)
  - powershell.exe (PID: 7856)
  - IDMan.exe (PID: 1108)
  - IDMan.exe (PID: 3660)
  - IDMan.exe (PID: 752)
  - IDMan.exe (PID: 8128)
- Checks proxy server information
  - IDMan.exe (PID: 7352)
  - IDMan.exe (PID: 8188)
  - powershell.exe (PID: 7856)
  - IDMan.exe (PID: 1108)
- Reads the time zone
  - runonce.exe (PID: 5732)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 5732)
- Gets a random number, or selects objects randomly from a collection (POWERSHELL)
  - powershell.exe (PID: 7008)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 6848)
  - powershell.exe (PID: 6844)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 7008)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 6848)
  - powershell.exe (PID: 6844)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 7008)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 6848)
  - powershell.exe (PID: 6844)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 8124)
  - powershell.exe (PID: 7600)
  - powershell.exe (PID: 6644)
  - powershell.exe (PID: 6168)
- Checks operating system version
  - cmd.exe (PID: 7360)
  - cmd.exe (PID: 6276)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 8124)
  - powershell.exe (PID: 7600)
  - powershell.exe (PID: 6644)
  - powershell.exe (PID: 6168)
- Process checks whether UAC notifications are on
  - IDMan.exe (PID: 1108)
- Reads Environment values
  - identity_helper.exe (PID: 5816)
  - identity_helper.exe (PID: 7700)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

402

Monitored processes

260

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 7 -isForBrowser -prefsHandle 2988 -prefMapHandle 6460 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1300 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7043ee9e-e995-43b8-93fd-505a90e11442} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 19123abcf50 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

"C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\"

C:\Users\admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

—

idman642build20.exe

User:

admin

Company:

Tonec Inc.

Integrity Level:

HIGH

Description:

Internet Download Manager installer

Exit code:

Version:

6, 42, 7, 1

Modules

Images
c:\users\admin\appdata\local\temp\idm_setup_temp\idm1.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

208

C:\WINDOWS\system32\cmd.exe /c echo prompt $E | cmd

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

236

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2388,i,12216258526005843102,16572498526781990878,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

448

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5520 --field-trial-handle=2388,i,12216258526005843102,16572498526781990878,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

752

"C:\Program Files (x86)\Internet Download Manager\IDMan.exe" /n /d "https://www.internetdownloadmanager.com/pictures/idm_about.png" /p "C:\WINDOWS\Temp" /f temp.png

C:\Program Files (x86)\Internet Download Manager\IDMan.exe

—

cmd.exe

User:

admin

Company:

Tonec Inc.

Integrity Level:

HIGH

Description:

Internet Download Manager (IDM)

Exit code:

Version:

6, 42, 20, 2

Modules

Images
c:\program files (x86)\internet download manager\idman.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

780

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

IDMan.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

888

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.crackingcity.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

936

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 6140 -prefsLen 31161 -prefMapSize 244343 -jsInitHandle 1300 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94f6aace-2b87-4626-8fb4-c6d68cfaea2b} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 19123abc150 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

LOW

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

940

powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\admin\AppData\Local\Temp\ytmp\IDM.bat\" -el r1 -qedit'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

conhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

145 396

Read events

144 127

Write events

938

Delete events

331

Modification events


(PID) Process:	(5104) firefox.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Downloads\idm.6.42.20_with_activator_v3.3.rar
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6948) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(3716) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3716) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Downloads\idm.6.42.20_with_activator_v3.3.rar

Add for printing

Executable files

Suspicious files

601

Text files

222

Unknown types

Dropped files

PID	Process	Filename		Type
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs.js		text
		MD5:7A97B8DBC4F98D175F958C00F463A52A	SHA256:92074D2ED1AA1FD621287E35DB9EF1AE3DC04777EFAE5F09E7A3B4534C201548
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmp		dbf
		MD5:C78F36BF78A74A5C37232FA18305FA6E	SHA256:319C730AC6614FDCE611894E281CBE1B5E1A304DCD812D6B642D3BE978E82EEC
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.db		binary
		MD5:4D58E3E082D2DB968D82E49DCE00AB7A	SHA256:D5A94141A5DDDA18AC87A652B1E16138A31DECAC9FCE82AF98502D3F91C799A3
5104	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.bin		binary
		MD5:297E88D7CEB26E549254EC875649F4EB	SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
5104	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

290

DNS requests

308

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5104	firefox.exe	POST	200	23.53.40.161:80	http://r10.o.lencr.org/	DE	binary	504 b	unknown
5104	firefox.exe	POST	200	23.53.40.154:80	http://r11.o.lencr.org/	DE	binary	504 b	unknown
5104	firefox.exe	POST	200	23.53.40.161:80	http://r10.o.lencr.org/	DE	binary	504 b	unknown
5104	firefox.exe	POST	200	23.53.40.154:80	http://r11.o.lencr.org/	DE	binary	504 b	unknown
5104	firefox.exe	POST	200	142.250.185.195:80	http://o.pki.goog/s/wr3/XjA	US	binary	471 b	unknown
5104	firefox.exe	POST	200	23.53.40.161:80	http://r10.o.lencr.org/	DE	binary	504 b	unknown
5104	firefox.exe	POST	200	23.53.40.161:80	http://r10.o.lencr.org/	DE	binary	504 b	unknown
5104	firefox.exe	POST	200	142.250.185.195:80	http://o.pki.goog/wr2	US	binary	471 b	unknown
5104	firefox.exe	POST	200	142.250.185.195:80	http://o.pki.goog/wr2	US	binary	471 b	unknown
5104	firefox.exe	POST	200	142.250.185.195:80	http://o.pki.goog/wr2	US	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6192	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6252	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5104	firefox.exe	188.114.96.3:80	crackingcity.com	CLOUDFLARENET	NL	unknown
5104	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
5104	firefox.exe	34.117.188.166:443	contile.services.mozilla.com	—	—	whitelisted
5104	firefox.exe	216.58.212.170:443	safebrowsing.googleapis.com	—	—	whitelisted
5104	firefox.exe	34.107.243.93:443	push.services.mozilla.com	—	—	whitelisted
5104	firefox.exe	34.36.165.17:443	tiles-cdn.prod.ads.prod.webservices.mozgcp.net	GOOGLE-CLOUD-PLATFORM	US	unknown

DNS requests

Domain	IP	Reputation
google.com	172.217.18.14	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
crackingcity.com	188.114.96.3 188.114.97.3 2a06:98c1:3120::3 2a06:98c1:3121::3	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
example.org	93.184.215.14	whitelisted
ipv4only.arpa	192.0.0.171 192.0.0.170	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7180	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7180	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7180	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7180	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)

Add for printing

No debug info

General Info

crackingcity.com

FCE1C7DD002E2D6AEB3D7A230A3F18EA

AB3ACBD63074081EADB867648AABA2892FDB7389

B481A680305FA00D0B5CCD972EAA8E55D2E7B6ADAD648A47BE5C74A6EB9FCBCE

3:oLF8Tn:x

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Starts NET.EXE for service management

Adds path to the Windows Defender exclusion list

Adds process to the Windows Defender exclusion list

Uses Task Scheduler to run other applications

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Application launched itself

Starts application with an unusual extension

The process creates files with name similar to system file names

Creates/Modifies COM task schedule object

Creates a software uninstall entry

Checks Windows Trust Settings

Executable content was dropped or overwritten

Uses RUNDLL32.EXE to load library

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates or modifies Windows services

Drops 7-zip archiver for unpacking

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

The executable file from the user directory is run by the CMD process

Uses ATTRIB.EXE to modify file attributes

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Detected use of alternative data streams (AltDS)

Probably obfuscated PowerShell command line is found

Possibly malicious use of IEX has been detected

Using 'findstr.exe' to search for text patterns in files and output

Starts SC.EXE for service management

Script adds exclusion process to Windows Defender

Uses REG/REGEDIT.EXE to modify registry

Hides command output

Request a resource from the Internet using PowerShell's cmdlet

Process drops legitimate windows executable

Uses TASKKILL.EXE to kill process

Get information on the list of running processes

Uses TIMEOUT.EXE to delay execution

INFO

Application launched itself

Executable content was dropped or overwritten

The process uses the downloaded file

Manual execution by a user

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Process checks computer location settings

Reads the software policy settings

Creates files in the program directory

Disables trace logs

Checks proxy server information

Reads the time zone

Reads security settings of Internet Explorer

Gets a random number, or selects objects randomly from a collection (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Checks operating system version

Script raised an exception (POWERSHELL)

Process checks whether UAC notifications are on

Reads Environment values

Malware configuration

Static information

Video and screenshots