Malware Analysis Report

2024-11-30 02:43

Sample ID 240407-vtzphahf5t
Target Cracker-main.zip
SHA256 7959b3706c6dba0fc5fc2cf851e50e70439024f469cfe6abc6896fd3f94b405b
Tags
upx spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7959b3706c6dba0fc5fc2cf851e50e70439024f469cfe6abc6896fd3f94b405b

Threat Level: Shows suspicious behavior

The file Cracker-main.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx spyware stealer

Reads user/profile data of web browsers

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:20

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Cracker-main.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Cracker-main.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:20

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

142s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cracker-main\Btc_cracker1.gif

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099151" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092170fcef19bdb449203de99649a09b20000000002000000000010660000000100002000000038d51384c24c650770f03da0e079bc2408267fe0bc0ad87eda50cd631baac32c000000000e800000000200002000000069a453e940a4fa4365e670d6f28ab9ac9094dea8eb354a31c749de7f52f59d10200000008934031746419bed4863832d77afc0917722c507b7d77b19f59495d38f7b6b95400000004eb12bbf927d0d2708e56aa2ec029f4081c7505465d3ea9fbd7f638715c1e493fcc6e3e3c2fa48263de10903ece8429efc0df2f8ed8966eb00b2e36b427fceb2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40351d9e0f89da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419275255" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608a079e0f89da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C8D97A27-F502-11EE-BD28-EA184F49D407} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092170fcef19bdb449203de99649a09b200000000020000000000106600000001000020000000f60c965bdc6370d9df0b19fe65a35b756a63c72a984e5ac901b4cf491b4ec736000000000e80000000020000200000003323270d2d43d3282f3b8b2f406cf453608f5c53f5e39a11f2c9f7cb12201c7120000000444d7b93f7c797c3344b95d9458438ec24d1f81c1fb05bd4decc43ee390c22e8400000007e147f9cec125129834df549ee005ef59744823f09035c434152bcc83f06b40e1f935cdc5d32dcb6c27faa30f6cfc26d1688aa8e53e3984744c6b3b26bb571bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099151" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099151" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2644738145" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2640362647" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2640362647" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cracker-main\Btc_cracker1.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3552 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 0fdf8d4784e08367466d7ad42b8a4bbe
SHA1 40fa5885f543762ea3dadfa0921c73fd8fa51907
SHA256 fce517f18328a03918ab11c10cef82020cc1a7b659ddfbbed05e789f0de03d9e
SHA512 56c4a3ff269d13a779d5fa29b464351be93e65bd91c7558d8c44ed8b3e3f4be24c56ccca299addbc797399d36c6351157b93361aedce32e21a645f8c5efd6e01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 8f3eb06776d4e1dfe1e742cb70e22357
SHA1 5ab03e56d3cfe9951e9598dd72ff258065253672
SHA256 bdb9f9d35fdac68cfe4a2f615e01d10dc89baec837fe7515b70a6cfedb27d87b
SHA512 450c5dccfbe02ac221b9b05b7f1af43ad9c83701120f8134dca66c03c9e20e38fedd76a0e62a47943044ebb00de338fa001ab662481c12ed61902b9f838c6a27

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:20

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cracker-main\Btc_cracker2.gif

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2660981117" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2663325060" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2660981117" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099151" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099151" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099151" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805f2a9f0f89da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9724A0C-F502-11EE-B3C6-4AFB17CC47EB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099151" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20fbe99e0f89da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2663325060" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068224481a8b3d349b57460395a3447ba00000000020000000000106600000001000020000000050cc9b7cd10b5c3a08833fb9670b460c47f11d2d275406aaa3051462d07f414000000000e8000000002000020000000d79af6c5bd823346f171ab2f9f4cc6a95e0ca167d491f22db4c3b23647f6259c2000000027eafe854008f7fe996fc1fc10f55765a8eff9dd2d5b47c84938c1dd5afb4b9c40000000c78c738e39e7757130406d820bb28a4c4ab50f2e9ef5d42f6602e2eb8ed5cbfc7772fa1fadeb409c9ccdc56953f3b486ae5f88d95b6f861de8b448b4e29ed202 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068224481a8b3d349b57460395a3447ba00000000020000000000106600000001000020000000f99926ae7d356f0cedcfab4444e75b51f9043d6aeb012ca48561f3fafd771f97000000000e8000000002000020000000addb8864ec27e699e20f96c5ccdfff8699288a2d3e809e01f4f5bdb5b5cc101920000000c356fbb8c0d4d1e56349c38d012e125f8ce1dba5643e8fa77e58a883c562340a40000000544098735b713f6f9d82c124b4b8c6fec2b888b9586cbdf7812b2e21d9591963f9c0e58854c5897408f549e3628c8af11a7076bdfd3a8f2e0b80f07c5ad105e3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cracker-main\Btc_cracker2.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 8f3eb06776d4e1dfe1e742cb70e22357
SHA1 5ab03e56d3cfe9951e9598dd72ff258065253672
SHA256 bdb9f9d35fdac68cfe4a2f615e01d10dc89baec837fe7515b70a6cfedb27d87b
SHA512 450c5dccfbe02ac221b9b05b7f1af43ad9c83701120f8134dca66c03c9e20e38fedd76a0e62a47943044ebb00de338fa001ab662481c12ed61902b9f838c6a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 696dd0e2997dea06231ed3fe93b8433e
SHA1 fffd2cae8eb00a0c84bea246b85e538f5cc48af2
SHA256 fae63a8924f628f0d7f77f924c8b5b1031faf829250af7f0e236c36a27012876
SHA512 cd636ae03fabb3d980422bf2b71938985624909543bb69f2271a549a91a00baac2a37144a68b23a2893c619b33a01fb2b0e2ff135c7985a16734e8081fd8acac

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC738.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:21

Platform

win10v2004-20240226-en

Max time kernel

185s

Max time network

176s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cracker-main\LICENSE

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2420 wrote to memory of 3604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 3604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 4568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2420 wrote to memory of 1624 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cracker-main\LICENSE

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe"

C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4beb7182h52ebh4eafhb8b0h01005cc7ca57

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa7d2a46f8,0x7ffa7d2a4708,0x7ffa7d2a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,17691192182744061379,106616753929102186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,17691192182744061379,106616753929102186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,17691192182744061379,106616753929102186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:80 www.microsoft.com tcp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
NL 23.62.61.129:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
DE 195.201.57.90:80 ipwho.is tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 114.66.68.104.in-addr.arpa udp
DE 195.201.57.90:80 ipwho.is tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3396-0-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/3396-1-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/1556-4-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-3-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-2-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-9-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-8-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-14-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-13-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-12-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-11-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/1556-10-0x000001A8E0680000-0x000001A8E0681000-memory.dmp

memory/2816-17-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/1812-18-0x0000025AAC8D0000-0x0000025AAC8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpgn3utw.tjw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1812-28-0x00007FFA7BBA0000-0x00007FFA7C661000-memory.dmp

memory/1812-29-0x0000025A94790000-0x0000025A947A0000-memory.dmp

memory/1812-33-0x00007FFA7BBA0000-0x00007FFA7C661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zpI65LQToM4SwjpmW62pfpfZSklCrH\sensitive-files.zip

MD5 a8f0b0cc09e6fa7ebf603a8a0f1921d5
SHA1 9cde55020aab361070a742512f18e13357c1fff7
SHA256 fd86ece8f7c7133fb9cdc5292fce7a414a1b533e940da6554dffe50c113148df
SHA512 1a5c56ff2fa95a03507b8dd7d94bfb50bedd17031adc0c64de5e6184543f5b92927788b1193abfefb1031c2f00cbb2019951249bb7d14c0deeab306bfb67aa02

C:\Users\Admin\AppData\Local\Temp\zpI65LQToM4SwjpmW62pfpfZSklCrH\user_info.txt

MD5 f1a38c68ae22dbd28560815bac35ddfd
SHA1 8fa6148052d5e9112b5e958e619073d198e59725
SHA256 d730a119653eeaa0765f0c1c531175196c42759f110e2a7f17c57d0fdb7dfbae
SHA512 b9d55fa3a34a4a9acadbe2db235cf39952371404c34867e1e055002e1d285d08bb1bdd03e7e220af94f15a84efa677b9372156da3429c8579bdd5b970062df59

memory/5024-72-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/3396-75-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/2816-76-0x00007FF718530000-0x00007FF718A78000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 279e783b0129b64a8529800a88fbf1ee
SHA1 204c62ec8cef8467e5729cad52adae293178744f
SHA256 3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA512 32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

\??\pipe\LOCAL\crashpad_2420_PUTWKZMHJHZSNVYP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9703addbe811287383aa445bd493e0a7
SHA1 4cdb7e7c5bc0f155e7f9f41929b1bfa17e51164d
SHA256 65663793c72a4f3600a78dbbe6d8835d3146e874da98cf9fa636e8f4450c6b89
SHA512 8ebda3df1b4b90587ab266862363727fb99559959db7c870cd8efc4145e9a75316dc14217a164ebb0c81aa335b72c010b19aa7d5bdca0aeff864a04f6488e883

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f3b4d24108fdc3e6b7cde0e34d694173
SHA1 264f8292f9bb3bd8b48652035bf00491c262b459
SHA256 1569b9aa5be9d61b74c4e8608b9e37227b29ce6a19b424ae6db485f22ac37a17
SHA512 2af5c9570126dc067a4ba2cfcad17c7ab00cd92302f26f67ac32a126734c22a375f3a01ca240caeb392e6396411634873064faed529203b9545d161008e49fc3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 08f9f3eb63ff567d1ee2a25e9bbf18f0
SHA1 6bf06056d1bb14c183490caf950e29ac9d73643a
SHA256 82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512 425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

memory/636-140-0x00007FFA7A2B0000-0x00007FFA7AD71000-memory.dmp

memory/636-141-0x0000023B26E30000-0x0000023B26E40000-memory.dmp

memory/636-142-0x0000023B26E30000-0x0000023B26E40000-memory.dmp

memory/636-145-0x00007FFA7A2B0000-0x00007FFA7AD71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\History

MD5 19f07edea5a46ed406e151fb9b8111fc
SHA1 f984527fd18aa5344908091ca78cb088cde2555f
SHA256 24a28a885a3940afe71118a9e1ee9238e226bbef2218a4d110450b01d58eff50
SHA512 989b8f58de2fde6bbbf651bbc4ce2bffc08c946b91efcc200601d7d25c99ff5b58310e4bc23d0e4b43b43b3e8126b402f7d3c850eb5093db67cebb94785beb0a

C:\Users\Admin\AppData\Local\Temp\History

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 a39273467020941d3cd1dd91830b73f1
SHA1 f39a608cbec44b353f1f785dce445216aa6f7cce
SHA256 69cb6cead43458ed507f0ef18718f105d32c2726b1d75b6ebc55c461f76a15f3
SHA512 d4bcb8e684dd1235d82c3bf88ffc8b13d5d4007dcde40e3c2b40e78f72c5ec10701373278834b26ac9fba040c0cda5c47e7df7b25490a1f8bae81181253578b7

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 daa100df6e6711906b61c9ab5aa16032
SHA1 963ff6c2d517d188014d2ef3682c4797888e6d26
SHA256 cc61635da46b2c9974335ea37e0b5fd660a5c8a42a89b271fa7ec2ac4b8b26f6
SHA512 548faee346d6c5700bb37d3d44b593e3c343ca7dc6b564f6d3dc7bd5463fbb925765d9c6ea3065bf19f3ccf7b2e1cb5c34c908057c60b62be866d2566c0b9393

C:\Users\Admin\AppData\Local\Temp\sensitive-files.zip

MD5 4c5a67db8ef8e881d220faeab2cf0443
SHA1 7273e15ddd903080c98ac8f7fbea6a75cd8b7f07
SHA256 81b7f95e90824aa02155c5f526b65507c01413acdd8c623f4b21742137de40be
SHA512 0c9aff904792ec17e2214f1bf26ad8fb00aa6d25dfc74ce1c2647bf6deb9fd99b781df258bb37db99a3bde43b41330b7392993ed15e39a5d69b168cbe974f85b

C:\Users\Admin\AppData\Local\Temp\mSnMd0oAGbFkCLw6Tzxh3rODCXFP45\sensitive-files.zip

MD5 7826537b12fa84a035f851f9817cbdc7
SHA1 969988c95fcc3a8604fd328617e79d6e6bb21c31
SHA256 fcb1e3e32845f13ab1bc61e5c89b76fa891a0c1e9cefd7cfb7f5fab84ef436aa
SHA512 fb2ecd7f44db31bd27539f391eebb1516d60da92ed31b6faa67f7a7f8d17fa2495a84e01829d906c7ff27358186ff818bf53bdf537e655e917164ed25715ff99

memory/5024-192-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/4280-202-0x00007FFA7A2B0000-0x00007FFA7AD71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9843d1de2b283224f4f4b8730ccc919f
SHA1 c053080262aef325e616687bf07993920503b62b
SHA256 409d2853e27efaa5b7e5459a0c29103197e9d661338996a13d61ca225b2222d1
SHA512 13d5809d2078ecd74aec818b510a900a9071605863b0a10037b3a203b76ea17598436ca5049cd13cf3442352670b21d386e84a88bece36e3440d408f123475de

memory/4280-203-0x000002A0F2AF0000-0x000002A0F2B00000-memory.dmp

memory/4280-205-0x000002A0F2AF0000-0x000002A0F2B00000-memory.dmp

memory/4280-208-0x00007FFA7A2B0000-0x00007FFA7AD71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\History

MD5 51e7a830a2432d8e0a7dafa7c3b3bb91
SHA1 9ade9e55cef370411cc196eaeea08055fee135d7
SHA256 06c2d27c6c54d844df3f84997b0f74e7ca488f96facd1f09e04d2255ee5dddba
SHA512 27e1c7fd3a0acb4cd826c1bead0e0c09164acd632043cd767d13c12846fa02b7077b37b91d7b299ba909a610bad2eb352dc7be397b59401fe0c328fbac04f2dd

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 267ded70ecf7a56a0f4886e5cc019426
SHA1 dcd7ce1fd683be593792bc0894507a7a948155a0
SHA256 5ac3948288aa8dbbf4141e073a1fbad51b474562611ddb9dfc84ba7b2d8e926d
SHA512 37a52ed7089fb84ee53ce13341a2a89d0c9db9010ebd01cbe8ea9454e689de31160220f561d79e6963424cca92467a97e1b0e217cb39e8462b2599d023b09883

C:\Users\Admin\AppData\Local\Temp\Cookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\Login Data

MD5 2b14366e624b21cb77de846f1ebf6ba3
SHA1 c80723eb70e325a30674b00392b98ad808e4ea2d
SHA256 d8a3be82f3cb3c5b9358c1be44f8ab400ae079cb50a345ee852e18afb8fbb3a5
SHA512 efd660f9c6ca9acd0ce18889a356de2eaae7941b25bd8a6a9266ac45ef5c3cc92c948ec2de7506399d1f3e464d20e266962c1c8b4e4c13e45ceceae4111a2ac8

C:\Users\Admin\AppData\Local\Temp\jyeXeq0ezwqIWvpHFRi79agRV2UidS\sensitive-files.zip

MD5 c58c8144013319d01866668a5ec218ec
SHA1 1f7b2bff074d92bd5c51fc176db0113316d693f9
SHA256 77852a6805830a9b80e8159e6e5e967e35196d1200e507109130a74ea6405e0e
SHA512 5e39f28cca7ff91837aff0d04a5234df6e256d86037d0740a85d00b0c4ba1bbde088286856e0d9fff79b20708f071d8d329245fd42de862a2e48bf4cf0a73738

C:\Users\Admin\AppData\Local\Temp\jyeXeq0ezwqIWvpHFRi79agRV2UidS\user_info.txt

MD5 ae777e4d5167253a9308abf3d021db14
SHA1 3b33fca770b08e75e2ef06a0ec679c2efb816233
SHA256 7adf070fe7611e46ad6adf148190eaf12c80ba4a2585e5b46f9aefa04f0acd69
SHA512 ff32a8b87c4339a58c22f94093b9a1b98be5a11608cf639a5bf5bb0c65b82dccee713b3368073a5fc84986ac0bb1d83d71ebe8ef6b3d79456696f7cb7ee399ef

memory/2816-254-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/3636-255-0x00007FF718530000-0x00007FF718A78000-memory.dmp

memory/3636-257-0x00007FF718530000-0x00007FF718A78000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:20

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Cracker-main\README.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Cracker-main\README.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:20

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Cracker-main\bitcoin_cracker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:80 ipwho.is tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/2780-0-0x00007FF769F20000-0x00007FF76A468000-memory.dmp

memory/2780-1-0x00007FF769F20000-0x00007FF76A468000-memory.dmp

memory/5000-5-0x000001F849F10000-0x000001F849F32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1kkvsth.dr2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5000-14-0x00007FFB836C0000-0x00007FFB84181000-memory.dmp

memory/2780-15-0x00007FF769F20000-0x00007FF76A468000-memory.dmp

memory/5000-19-0x00007FFB836C0000-0x00007FFB84181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\History

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\Hd0eq8ty7u3dV5oXOtTHRTf9VbwMTE\sensitive-files.zip

MD5 b79a39cdde9831e5edb2de7b9fad11c0
SHA1 304e5b1017dd80361d8d482391ffed5a1ae0d6a6
SHA256 1d9efc0e18e9be5df0de4f1c16c3ca3f69c38af024e4f3fe8961020e9cbeaf6f
SHA512 ef09e989544861e2801a09eff3d7b5181222b449dded97f8cec732fd56407f98e6c0a0b1c487c2ecc093bca9697453273bbfd6c302227c794dc0e3a548265c8c

C:\Users\Admin\AppData\Local\Temp\Hd0eq8ty7u3dV5oXOtTHRTf9VbwMTE\user_info.txt

MD5 f1a38c68ae22dbd28560815bac35ddfd
SHA1 8fa6148052d5e9112b5e958e619073d198e59725
SHA256 d730a119653eeaa0765f0c1c531175196c42759f110e2a7f17c57d0fdb7dfbae
SHA512 b9d55fa3a34a4a9acadbe2db235cf39952371404c34867e1e055002e1d285d08bb1bdd03e7e220af94f15a84efa677b9372156da3429c8579bdd5b970062df59

memory/2780-58-0x00007FF769F20000-0x00007FF76A468000-memory.dmp

memory/2780-61-0x00007FF769F20000-0x00007FF76A468000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-07 17:17

Reported

2024-04-07 17:20

Platform

win10v2004-20240226-en

Max time kernel

115s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.186.138:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 138.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

N/A