File name:

d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe

Full analysis: https://app.any.run/tasks/ae812ccf-be8a-4e0a-bc9a-59e4e1f52839
Verdict: Malicious activity
Threats:

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Malware Trends Tracker     >>>
Analysis date: October 06, 2024, 19:58:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cryptbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

CE86CC8FFD5925447A0137743367035A

SHA1:

7C293FC28C5455F1A71402A36C59F9DDF21275C8

SHA256:

D1A6CB72960CCB4F839D4BED17374B547FD2A6B788A88FEC23400E9B6D3F35BC

SSDEEP:

49152:77Vc8IK51qQd4lm4rkLJcp9M3P5I0VtTd+e8Hi/Q6L+birGUsHkXEfj7+Lumjpg0:77Vc83084bvqpap/b7CHD8XE8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CRYPTBOT has been detected (YARA)

      • d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe (PID: 1164)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads the machine GUID from the registry

      • d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe (PID: 1164)

    • Checks supported languages

      • d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe (PID: 1164)

    • Reads the computer name

      • d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CryptBot

(PID) Process(1164) d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe
C2 (1)threvc3pt.top
Strings (364)GetProcAddress
GetCurrentDirectoryA
ReadFile
MoveFileW
GetModuleFileNameExA
CreateFileMappingA
GetLocaleInfoW
_wtoi
HTTP
LkgwUi
StrStrIW
GetCurrentThread
FindNextFileA
ExtractFilesA
DuplicateHandle
FindFirstFileNameW
HeapReAlloc
RegQueryInfoKeyW
GetSystemWow64DirectoryA
GetBitmapBits
WinHttpSendRequest
user32.dll
FindNextFileW
GetObjectA
ReadConsoleA
Debug.txt
_swprintf
StrStrIA
GetDriveTypeA
\ServiceData\Clip.exe
curl/8.0.1
CreateRemoteThreadEx
malloc
VirtualAlloc
WinHttpSetOption
ExpandEnvironmentStringsA
CreateRemoteThread
OpenThread
URLDownloadToFileW
closesocket
HeapFree
CreateDCW
InternetConnectW
WaitForSingleObject
inet_addr
GetNativeSystemInfo
sprintf_s
FindFirstFileW
VirtualFree
URLOpenBlockingStreamW
ReleaseDC
printf
ShellExecuteW
HttpSendRequestW
GetEnvironmentVariableA
GetDeviceCaps
Process32NextW
GetLastError
urlmon.dll
FCIAddFile
ntdll.dll
GetThreadId
InternetCrackUrlW
WSAStartup
DeleteDC
IStream_Reset
GetVolumeInformationA
wsprintfA
InternetOpenUrlW
Desktop
cabinet.dll
ShellExecuteA
GetModuleFileNameW
UserID.txt
System Error
GetDiskFreeSpaceExW
GetDriveTypeW
VirtualProtectEx
WinHttpOpen
/v1/upload.php
URLOpenBlockingStreamA
WSACleanup
GetConsoleMode
FindFirstFileExW
/zip.php
ScreenShot.jpeg
gdiplus.dll
GetExitCodeThread
Content-Length: %lu
LoadLibraryA
GetObjectW
shell32.dll
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
\RBpmIDoohX
LocalFree
GdipGetImageEncodersSize
"encrypted_key":"
RegEnumKeyExW
ReleaseMutex
SaveImageToStream
ComSpec
IStream_Read
WinHttpReceiveResponse
GetSystemMetrics
HttpOpenRequestW
bind
InternetCloseHandle
CreateProcessA
GetLogicalDriveStringsW
RmGetList
WinHttpQueryOption
GetUserDefaultLocaleName
GetFileSizeEx
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
abs
GetComputerNameW
\ServiceData
WideCharToMultiByte
GetUserNameA
swprintf
SHGetFolderPathW
RmRegisterResources
GetKeyboardLayoutList
swprintf_s
/gate.php
ws2_32.dll
SHUnicodeToAnsi
free
GetTickCount64
PathFileExistsW
DPAPI
WinHttpAddRequestHeaders
recvfrom
SelectObject
GetFileInformationByHandle
Extract
_snwprintf
NULL
CreateThread
gdi32.dll
HttpSendRequestA
User's Computer Information.txt
GetTempPathW
kernel32.dll
GetCurrentDirectoryW
GetCurrentProcess
SHAnsiToUnicode
GetLocaleInfoA
IStream_Size
GetModuleFileNameA
DeleteObject
GetUserNameW
DeleteFileW
PathFileExistsA
WinHttpReadData
PathIsDirectoryW
InternetConnectA
RegOpenKeyExA
$CREEN.JPEG
WSAGetLastError
WinExec
wsprintfW
GetEnvironmentVariableW
IsWow64Process
realloc
CreateDirectoryW
GdipSaveImageToStream
GdipSaveImageToFile
GetFileAttributesExW
clock
vswprintf
FindClose
GdiplusShutdown
GetCommandLineA
GetModuleHandleExW
FindNextFileNameA
InternetCrackUrlA
MoveFileExW
GdipLoadImageFromFile
HeapCreate
MultiByteToWideChar
FindFirstFileNameA
Apps
WinHttpReadDataEx
CreateProcessW
recv
GdiplusStartup
ExtractFilesW
Others
GetProcessHeap
wnsprintfW
FCIFlushFolder
Browsers
FCICreate
SHGetFolderPathA
CopyFileW
_snwprintf_s
CreateFileW
SHCreateMemStream
GetFileAttributesExA
RemoveDirectoryA
VirtualAllocEx
CopyFileExA
shlwapi.dll
log.txt
calloc
GetFileSize
CreateToolhelp32Snapshot
GetDIBits
SetFilePointer
LoadLibraryExW
GetTimeZoneInformation
rstrtmgr.dll
/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
MoveFileExA
CreateDCA
advapi32.dll
Sleep
winhttp.dll
RemoveDirectoryW
CreateMutexW
POST
GetSystemWow64DirectoryW
GetFileAttributesW
GetTempFileNameW
WinHttpQueryHeaders
msvcrt.dll
GetLogicalDriveStringsA
CreateFileMappingW
InternetOpenUrlA
OpenProcess
GetSystemInfo
InternetOpenA
LocalAppData
RegQueryInfoKeyA
FCIFlushCabinet
GdipCreateBitmapFromHBITMAP
CreateStreamOnHGlobal
Temp
socket
threvc3pt.top
TerminateProcess
GetModuleHandleExA
UnmapViewOfFile
CopyFileA
atoi
PathIsDirectoryA
CopyFileExW
FileTimeToSystemTime
SleepEx
ReadConsoleW
ExitThread
vsnprintf
advpack.dll
GET
CloseHandle
CoUninitialize
\ServiceData\Clip.au3
WinHttpConnect
SetFilePointerEx
htons
GetTempPathA
GetDiskFreeSpaceExA
CoInitialize
End.txt
FreeLibrary
SystemTimeToFileTime
_vscwprintf
GetProcessId
CreateDirectoryA
SetErrorMode
MapViewOfFile
RmEndSession
_vscprintf
GdipGetImageEncoders
RmStartSession
HTTPS
CreateCompatibleDC
AppData
GetFileAttributesA
wininet.dll
GetTickCount
IsWow64Process2
GetLocalTime
MessageBoxA
DeleteFileA
DISPLAY
GetSystemDirectoryW
WriteConsoleW
MoveFileA
Process32FirstA
Files
send
LocalAlloc
VirtualProtect
StretchBlt
WinHttpCrackUrl
LoadLibraryW
ExitProcess
WinHttpCloseHandle
UserProfile
listen
EnumDisplaySettingsA
ole32.dll
/index.php
WriteFile
InternetReadFileExA
CreateMutexA
wnsprintfA
GetTempFileNameA
CryptUnprotectData
MessageBoxW
analforeverlovyu.top
EnumDisplaySettingsW
GetModuleHandleW
RtlGetVersion
Wallets
LoadLibraryExA
GetSystemDirectoryA
FindFirstFileA
GetVolumeInformationW
GetModuleFileNameExW
_snprintf
strtod
CreateFileA
HttpOpenRequestA
RegCloseKey
Process32NextA
HttpQueryInfoA
HeapAlloc
WriteConsoleA
GetCommandLineW
InternetReadFile
isspace
HttpQueryInfoW
FCIDestroy
winsqlite3.dll
sprintf
GlobalMemoryStatusEx
VirtualFreeEx
FindFirstFileExA
wprintf
InternetOpenW
RegQueryValueExA
An error occurred while starting the application (0xc000007b). To exit the application, click OK.
BitBlt
URLDownloadToFileA
FindNextFileNameW
GetModuleHandleA
RegQueryValueExW
FileTimeToDosDateTime
Process32FirstW
RegEnumKeyExA
CreateCompatibleBitmap
IsBadReadPtr
WinHttpOpenRequest
crypt32.dll
GetComputerNameA
HeapSize
RegOpenKeyExW
ExpandEnvironmentStringsW
accept
InternetReadFileExW
QueryPerformanceCounter
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:03 17:50:22+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.4
CodeSize: 5124096
InitializedDataSize: 7333888
UninitializedDataSize: 3072
EntryPoint: 0x14a0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CRYPTBOT d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Users\admin\Desktop\d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe" C:\Users\admin\Desktop\d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
CryptBot
(PID) Process(1164) d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe
C2 (1)threvc3pt.top
Strings (364)GetProcAddress
GetCurrentDirectoryA
ReadFile
MoveFileW
GetModuleFileNameExA
CreateFileMappingA
GetLocaleInfoW
_wtoi
HTTP
LkgwUi
StrStrIW
GetCurrentThread
FindNextFileA
ExtractFilesA
DuplicateHandle
FindFirstFileNameW
HeapReAlloc
RegQueryInfoKeyW
GetSystemWow64DirectoryA
GetBitmapBits
WinHttpSendRequest
user32.dll
FindNextFileW
GetObjectA
ReadConsoleA
Debug.txt
_swprintf
StrStrIA
GetDriveTypeA
\ServiceData\Clip.exe
curl/8.0.1
CreateRemoteThreadEx
malloc
VirtualAlloc
WinHttpSetOption
ExpandEnvironmentStringsA
CreateRemoteThread
OpenThread
URLDownloadToFileW
closesocket
HeapFree
CreateDCW
InternetConnectW
WaitForSingleObject
inet_addr
GetNativeSystemInfo
sprintf_s
FindFirstFileW
VirtualFree
URLOpenBlockingStreamW
ReleaseDC
printf
ShellExecuteW
HttpSendRequestW
GetEnvironmentVariableA
GetDeviceCaps
Process32NextW
GetLastError
urlmon.dll
FCIAddFile
ntdll.dll
GetThreadId
InternetCrackUrlW
WSAStartup
DeleteDC
IStream_Reset
GetVolumeInformationA
wsprintfA
InternetOpenUrlW
Desktop
cabinet.dll
ShellExecuteA
GetModuleFileNameW
UserID.txt
System Error
GetDiskFreeSpaceExW
GetDriveTypeW
VirtualProtectEx
WinHttpOpen
/v1/upload.php
URLOpenBlockingStreamA
WSACleanup
GetConsoleMode
FindFirstFileExW
/zip.php
ScreenShot.jpeg
gdiplus.dll
GetExitCodeThread
Content-Length: %lu
LoadLibraryA
GetObjectW
shell32.dll
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
\RBpmIDoohX
LocalFree
GdipGetImageEncodersSize
"encrypted_key":"
RegEnumKeyExW
ReleaseMutex
SaveImageToStream
ComSpec
IStream_Read
WinHttpReceiveResponse
GetSystemMetrics
HttpOpenRequestW
bind
InternetCloseHandle
CreateProcessA
GetLogicalDriveStringsW
RmGetList
WinHttpQueryOption
GetUserDefaultLocaleName
GetFileSizeEx
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
abs
GetComputerNameW
\ServiceData
WideCharToMultiByte
GetUserNameA
swprintf
SHGetFolderPathW
RmRegisterResources
GetKeyboardLayoutList
swprintf_s
/gate.php
ws2_32.dll
SHUnicodeToAnsi
free
GetTickCount64
PathFileExistsW
DPAPI
WinHttpAddRequestHeaders
recvfrom
SelectObject
GetFileInformationByHandle
Extract
_snwprintf
NULL
CreateThread
gdi32.dll
HttpSendRequestA
User's Computer Information.txt
GetTempPathW
kernel32.dll
GetCurrentDirectoryW
GetCurrentProcess
SHAnsiToUnicode
GetLocaleInfoA
IStream_Size
GetModuleFileNameA
DeleteObject
GetUserNameW
DeleteFileW
PathFileExistsA
WinHttpReadData
PathIsDirectoryW
InternetConnectA
RegOpenKeyExA
$CREEN.JPEG
WSAGetLastError
WinExec
wsprintfW
GetEnvironmentVariableW
IsWow64Process
realloc
CreateDirectoryW
GdipSaveImageToStream
GdipSaveImageToFile
GetFileAttributesExW
clock
vswprintf
FindClose
GdiplusShutdown
GetCommandLineA
GetModuleHandleExW
FindNextFileNameA
InternetCrackUrlA
MoveFileExW
GdipLoadImageFromFile
HeapCreate
MultiByteToWideChar
FindFirstFileNameA
Apps
WinHttpReadDataEx
CreateProcessW
recv
GdiplusStartup
ExtractFilesW
Others
GetProcessHeap
wnsprintfW
FCIFlushFolder
Browsers
FCICreate
SHGetFolderPathA
CopyFileW
_snwprintf_s
CreateFileW
SHCreateMemStream
GetFileAttributesExA
RemoveDirectoryA
VirtualAllocEx
CopyFileExA
shlwapi.dll
log.txt
calloc
GetFileSize
CreateToolhelp32Snapshot
GetDIBits
SetFilePointer
LoadLibraryExW
GetTimeZoneInformation
rstrtmgr.dll
/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
MoveFileExA
CreateDCA
advapi32.dll
Sleep
winhttp.dll
RemoveDirectoryW
CreateMutexW
POST
GetSystemWow64DirectoryW
GetFileAttributesW
GetTempFileNameW
WinHttpQueryHeaders
msvcrt.dll
GetLogicalDriveStringsA
CreateFileMappingW
InternetOpenUrlA
OpenProcess
GetSystemInfo
InternetOpenA
LocalAppData
RegQueryInfoKeyA
FCIFlushCabinet
GdipCreateBitmapFromHBITMAP
CreateStreamOnHGlobal
Temp
socket
threvc3pt.top
TerminateProcess
GetModuleHandleExA
UnmapViewOfFile
CopyFileA
atoi
PathIsDirectoryA
CopyFileExW
FileTimeToSystemTime
SleepEx
ReadConsoleW
ExitThread
vsnprintf
advpack.dll
GET
CloseHandle
CoUninitialize
\ServiceData\Clip.au3
WinHttpConnect
SetFilePointerEx
htons
GetTempPathA
GetDiskFreeSpaceExA
CoInitialize
End.txt
FreeLibrary
SystemTimeToFileTime
_vscwprintf
GetProcessId
CreateDirectoryA
SetErrorMode
MapViewOfFile
RmEndSession
_vscprintf
GdipGetImageEncoders
RmStartSession
HTTPS
CreateCompatibleDC
AppData
GetFileAttributesA
wininet.dll
GetTickCount
IsWow64Process2
GetLocalTime
MessageBoxA
DeleteFileA
DISPLAY
GetSystemDirectoryW
WriteConsoleW
MoveFileA
Process32FirstA
Files
send
LocalAlloc
VirtualProtect
StretchBlt
WinHttpCrackUrl
LoadLibraryW
ExitProcess
WinHttpCloseHandle
UserProfile
listen
EnumDisplaySettingsA
ole32.dll
/index.php
WriteFile
InternetReadFileExA
CreateMutexA
wnsprintfA
GetTempFileNameA
CryptUnprotectData
MessageBoxW
analforeverlovyu.top
EnumDisplaySettingsW
GetModuleHandleW
RtlGetVersion
Wallets
LoadLibraryExA
GetSystemDirectoryA
FindFirstFileA
GetVolumeInformationW
GetModuleFileNameExW
_snprintf
strtod
CreateFileA
HttpOpenRequestA
RegCloseKey
Process32NextA
HttpQueryInfoA
HeapAlloc
WriteConsoleA
GetCommandLineW
InternetReadFile
isspace
HttpQueryInfoW
FCIDestroy
winsqlite3.dll
sprintf
GlobalMemoryStatusEx
VirtualFreeEx
FindFirstFileExA
wprintf
InternetOpenW
RegQueryValueExA
An error occurred while starting the application (0xc000007b). To exit the application, click OK.
BitBlt
URLDownloadToFileA
FindNextFileNameW
GetModuleHandleA
RegQueryValueExW
FileTimeToDosDateTime
Process32FirstW
RegEnumKeyExA
CreateCompatibleBitmap
IsBadReadPtr
WinHttpOpenRequest
crypt32.dll
GetComputerNameA
HeapSize
RegOpenKeyExW
ExpandEnvironmentStringsW
accept
InternetReadFileExW
QueryPerformanceCounter
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
427
Read events
427
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
27
DNS requests
31
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5388
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
5388
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5388
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
threvc3pt.top
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d1a6cb72960ccb4f839d4bed17374b547fd2a6b788a88fec23400e9b6d3f35bc.exe