Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cryptor.exe

Overview

General Information

Sample name:Cryptor.exe
Analysis ID:1450341
MD5:4ca40d9d318d97d68fcb518e2c4fe07a
SHA1:5fc2e90b7bc1aa4d00c2dc9e0064056b3956e425
SHA256:7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
Tags:exeRustyStealer
Infos:

Detection

Luca Stealer
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • Cryptor.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\Cryptor.exe" MD5: 4CA40D9D318D97D68FCB518E2C4FE07A)
    • powershell.exe (PID: 7760 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 8000 cmdline: C:\Windows\system32\WerFault.exe -u -p 7296 -s 884 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
    Process Memory Space: Cryptor.exe PID: 7296JoeSecurity_LucaStealerYara detected Luca StealerJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Cryptor.exe.7ff77e8c0000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

        Sigma Signatures

        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cryptor.exe", ParentImage: C:\Users\user\Desktop\Cryptor.exe, ParentProcessId: 7296, ParentProcessName: Cryptor.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 7760, ProcessName: powershell.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: Cryptor.exeVirustotal: Detection: 47%Perma Link
        Source: Cryptor.exeReversingLabs: Detection: 54%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.0% probability
        Machine Learning detection for sample
        Source: Cryptor.exeJoe Sandbox ML: detected
        Source: Cryptor.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior

        Networking

        barindex
        Uses the Telegram API (likely for C&C communication)
        Source: unknownDNS query: name: api.telegram.org
        Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
        Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
        Source: unknownDNS query: name: ipwho.is
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
        Source: global trafficDNS traffic detected: DNS query: ipwho.is
        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
        Source: Cryptor.exe, 00000000.00000002.2567000327.0000009680142000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is/?output=json
        Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: Cryptor.exe, 00000000.00000002.2567527226.000001A4CB2CD000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.2568421532.000001A4CD180000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2234082382.000001A4CB2FC000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.2568447682.000001A4CD265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: Cryptor.exe, 00000000.00000002.2567527226.000001A4CB293000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: Cryptor.exe, 00000000.00000003.2231300538.000001A4CB2F7000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2226153639.000001A4CB2E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.microso
        Source: Cryptor.exe, 00000000.00000003.2159101033.000001A4CB338000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159355063.000001A4CB2E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
        Source: Cryptor.exe, 00000000.00000003.2160282835.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160297388.000001A4CB32D000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160141756.000001A4CB32F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
        Source: Cryptor.exe, 00000000.00000003.2159101033.000001A4CB338000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159355063.000001A4CB2E4000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
        Source: Cryptor.exe, 00000000.00000003.2160282835.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160297388.000001A4CB32D000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160141756.000001A4CB32F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
        Source: Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17w
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
        Source: Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: C:\Users\user\Desktop\Cryptor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 884
        Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@5/19@2/2
        Source: C:\Users\user\Desktop\Cryptor.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.dbJump to behavior
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7296
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
        Source: C:\Users\user\Desktop\Cryptor.exeFile created: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\Cryptor.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: Cryptor.exe, 00000000.00000003.2156934398.000001A4CB2DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: Cryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: Cryptor.exeVirustotal: Detection: 47%
        Source: Cryptor.exeReversingLabs: Detection: 54%
        Source: unknownProcess created: C:\Users\user\Desktop\Cryptor.exe "C:\Users\user\Desktop\Cryptor.exe"
        Source: C:\Users\user\Desktop\Cryptor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Cryptor.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7296 -s 884
        Source: C:\Users\user\Desktop\Cryptor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Cryptor.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: Cryptor.exeStatic file information: File size 3037184 > 1048576
        Source: Cryptor.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x2e4e00
        Source: Cryptor.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Cryptor.exeStatic PE information: section name: UPX2
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1
        Source: C:\Users\user\Desktop\Cryptor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2519Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3693Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exe TID: 7300Thread sleep time: -35000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 2519 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 3693 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
        Source: C:\Users\user\Desktop\Cryptor.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
        Source: C:\Users\user\Desktop\Cryptor.exeThread delayed: delay time: 35000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
        Source: Amcache.hve.8.drBinary or memory string: VMware
        Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Cryptor.exe, 00000000.00000002.2567527226.000001A4CB293000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: Amcache.hve.8.drBinary or memory string: vmci.sys
        Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
        Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
        Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.8.drBinary or memory string: VMware20,1
        Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Users\user\Desktop\Cryptor.exeNtWriteFile: Indirect: 0x7FF77EAFDB77Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeNtReadFile: Indirect: 0x7FF77EB052C7Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\CEF\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\BPMLNOBVSB.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\Cryptor.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.mp3 VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\DVWHKMNFNN.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\JSDNGYCOWY.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\JSDNGYCOWY.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\JSDNGYCOWY.mp3 VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\KATAXZVCPS.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\WUTJSCBCFX.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\WUTJSCBCFX.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\BPMLNOBVSB.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\BPMLNOBVSB.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\CURQNKVOIX.mp3 VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\DVWHKMNFNN.mp3 VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\DVWHKMNFNN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\DVWHKMNFNN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\DVWHKMNFNN.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\DVWHKMNFNN.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\HTAGVDFUIE.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\HTAGVDFUIE.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\JSDNGYCOWY.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\JSDNGYCOWY.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\JSDNGYCOWY.mp3 VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\KATAXZVCPS.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\KATAXZVCPS.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\KATAXZVCPS.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\NWTVCDUMOB.jpg VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\UMMBDNEQBN.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\UMMBDNEQBN.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\UMMBDNEQBN.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\VLZDGUKUTZ.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\VLZDGUKUTZ.docx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\VLZDGUKUTZ.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\VLZDGUKUTZ.xlsx VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\WUTJSCBCFX.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\WUTJSCBCFX.pdf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\YPSIACHYXW.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\Documents\YPSIACHYXW.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Autofill VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\CreditCards VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\History VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Passwords VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\screen1.png VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\sensitive-files.zip VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\sensitive-files.zip VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\user_info.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\user_info.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Passwords\Edge_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\History\Chrome_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\History\Edge_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Downloads\Edge_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Autofill\Edge_Default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe
        Source: C:\Users\user\Desktop\Cryptor.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected Luca Stealer
        Source: Yara matchFile source: 0.2.Cryptor.exe.7ff77e8c0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Cryptor.exe PID: 7296, type: MEMORYSTR
        Found many strings related to Crypto-Wallets (likely being stolen)
        Source: Cryptor.exe, 00000000.00000003.2161890220.000001A4CB2DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
        Source: Cryptor.exe, 00000000.00000003.2167629791.000001A4CB2FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Wallets\Jaxx\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
        Source: Cryptor.exe, 00000000.00000003.2231711648.000001A4CB2C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @\Roaming\exodus\exodus.wal
        Source: Cryptor.exe, 00000000.00000003.2231711648.000001A4CB2C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @\Roaming\exodus\exodus.wal
        Source: Cryptor.exe, 00000000.00000003.2161890220.000001A4CB2DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
        Source: Cryptor.exe, 00000000.00000003.2231711648.000001A4CB2C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming/Epic Privacy Browser/User Data/Local Storage/leveldbm\keystore\B
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqliteJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
        Tries to steal Crypto Currency Wallets
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
        Source: C:\Users\user\Desktop\Cryptor.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior

        Remote Access Functionality

        barindex
        Yara detected Luca Stealer
        Source: Yara matchFile source: 0.2.Cryptor.exe.7ff77e8c0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Cryptor.exe PID: 7296, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
        Windows Management Instrumentation        		1
        DLL Side-Loading        		11
        Process Injection        		1
        Masquerading        		1
        OS Credential Dumping        		31
        Security Software Discovery        		Remote Services3
        Data from Local System        		1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Abuse Elevation Control Mechanism        		1
        Disable or Modify Tools        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		31
        Virtualization/Sandbox Evasion        		Security Account Manager31
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Abuse Elevation Control Mechanism        		LSA Secrets1
        System Network Configuration Discovery        		SSHKeylogging3
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Obfuscated Files or Information        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Software Packing        		DCSync22
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Cryptor.exe47%VirustotalBrowse
        Cryptor.exe54%ReversingLabsWin32.Trojan.Generic
        Cryptor.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        ipwho.is0%VirustotalBrowse
        api.telegram.org2%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
        http://upx.sf.net0%URL Reputationsafe
        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
        https://www.ecosia.org/newtab/0%URL Reputationsafe
        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
        https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
        https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4001%VirustotalBrowse
        https://duckduckgo.com/ac/?q=0%VirustotalBrowse
        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
        http://ipwho.is/?output=json0%VirustotalBrowse
        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
        https://docs.rs/getrandom#nodejs-es-module-supportCalling0%VirustotalBrowse
        https://cdn.ipwhois.io/flags/us.svg0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ipwho.is
        		195.201.57.90
        		truefalseunknown
        api.telegram.org
        		149.154.167.220
        		truetrueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://ac.ecosia.org/autocomplete?q=Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://duckduckgo.com/chrome_newtabCryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        http://ipwho.is/?output=jsonCryptor.exe, 00000000.00000002.2567000327.0000009680142000.00000004.00000010.00020000.00000000.sdmpfalseunknown
        https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400Cryptor.exe, 00000000.00000002.2567527226.000001A4CB2CD000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.2568421532.000001A4CD180000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2234082382.000001A4CB2FC000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000002.2568447682.000001A4CD265000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://duckduckgo.com/ac/?q=Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://support.microsoCryptor.exe, 00000000.00000003.2231300538.000001A4CB2F7000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2226153639.000001A4CB2E9000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://www.google.com/images/branding/product/ico/googleg_lodp.icoCryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallCryptor.exe, 00000000.00000003.2160282835.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160297388.000001A4CB32D000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160141756.000001A4CB32F000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchCryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          http://upx.sf.netAmcache.hve.8.drfalse
          • URL Reputation: safe
          		unknown
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Cryptor.exe, 00000000.00000003.2159101033.000001A4CB338000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159355063.000001A4CB2E4000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesCryptor.exe, 00000000.00000003.2160282835.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160297388.000001A4CB32D000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2160141756.000001A4CB32F000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Cryptor.exe, 00000000.00000003.2159101033.000001A4CB338000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159355063.000001A4CB2E4000.00000004.00000020.00020000.00000000.sdmp, Cryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.ecosia.org/newtab/Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Cryptor.exe, 00000000.00000003.2158548601.000001A4CB315000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17wCryptor.exe, 00000000.00000003.2159482302.000001A4CB326000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://cdn.ipwhois.io/flags/us.svgCryptor.exe, 00000000.00000002.2567527226.000001A4CB293000.00000004.00000020.00020000.00000000.sdmpfalseunknown
            https://docs.rs/getrandom#nodejs-es-module-supportCallingCryptor.exe, 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmpfalseunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            149.154.167.220
            		api.telegram.orgUnited Kingdom
            		62041TELEGRAMRUtrue
            195.201.57.90
            		ipwho.isGermany
            		24940HETZNER-ASDEfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1450341
            Start date and time:2024-06-01 18:40:28 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 27s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Cryptor.exe
            Detection:MAL
            Classification:mal84.troj.spyw.evad.winEXE@5/19@2/2
            EGA Information:Failed
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.189.173.21
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenFile calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            149.154.167.2209JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
              ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  Attachments.zipGet hashmaliciousUnknownBrowse
                    DHL DOC..exeGet hashmaliciousAgentTeslaBrowse
                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                        sipari#U015f formu_831512.exeGet hashmaliciousAgentTeslaBrowse
                          Due Invoice pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                            RFQ.exeGet hashmaliciousAgentTeslaBrowse
                              195.201.57.90rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                              • /?output=json
                              Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                              • /?output=json
                              rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                              • /?output=json
                              3r3usOVGsa.exeGet hashmaliciousBlackGuardBrowse
                              • ipwhois.app/xml/
                              KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                              • ipwhois.app/xml/
                              file.exeGet hashmaliciousBlackGuardBrowse
                              • ipwhois.app/xml/
                              file.exeGet hashmaliciousBlackGuardBrowse
                              • ipwhois.app/xml/
                              file.exeGet hashmaliciousBlackGuardBrowse
                              • ipwhois.app/xml/
                              JFBYfxYeTO.exeGet hashmaliciousBlackGuardBrowse
                              • ipwhois.app/xml/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ipwho.isrust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                              • 195.201.57.90
                              Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                              • 195.201.57.90
                              KR6nDu9fLhop1bFe.exeGet hashmaliciousQuasarBrowse
                              • 195.201.57.90
                              rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                              • 195.201.57.90
                              http://nxxoui9ah5qto.pages.dev/smart89Get hashmaliciousUnknownBrowse
                              • 195.201.57.90
                              01vwXiyQ8K.exeGet hashmaliciousQuasarBrowse
                              • 195.201.57.90
                              http://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/Get hashmaliciousUnknownBrowse
                              • 195.201.57.90
                              SecuriteInfo.com.Trojan.PWS.Stealer.36926.32356.23713.exeGet hashmaliciousUnknownBrowse
                              • 147.135.36.89
                              SecuriteInfo.com.Trojan.PWS.Stealer.36926.32356.23713.exeGet hashmaliciousUnknownBrowse
                              • 195.201.57.90
                              api.telegram.org9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 149.154.167.220
                              ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                              • 149.154.167.220
                              SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 149.154.167.220
                              Attachments.zipGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              DHL DOC..exeGet hashmaliciousAgentTeslaBrowse
                              • 149.154.167.220
                              hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                              • 149.154.167.220
                              sipari#U015f formu_831512.exeGet hashmaliciousAgentTeslaBrowse
                              • 149.154.167.220
                              Due Invoice pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                              • 149.154.167.220
                              RFQ.exeGet hashmaliciousAgentTeslaBrowse
                              • 149.154.167.220

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              TELEGRAMRUSecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                              • 149.154.167.99
                              9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 149.154.167.220
                              ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                              • 149.154.167.220
                              http://www.aviatorx.sbs.recl.cc/Get hashmaliciousUnknownBrowse
                              • 149.154.167.99
                              http://telegram-vn.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.99
                              http://dl.dir.freefiremobile.com.sg5.putrivpn.biz.id/Get hashmaliciousUnknownBrowse
                              • 149.154.167.99
                              http://b9824.top/Get hashmaliciousUnknownBrowse
                              • 149.154.170.96
                              Rtq5bR0yeF.exeGet hashmaliciousRedLineBrowse
                              • 149.154.167.99
                              file.exeGet hashmaliciousVidarBrowse
                              • 149.154.167.99
                              HETZNER-ASDESecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                              • 159.69.102.132
                              3Lf408k9mg.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                              • 116.202.102.103
                              PAYMENT RECEIPT.exeGet hashmaliciousFormBookBrowse
                              • 178.63.50.103
                              RFQ price list.scr.exeGet hashmaliciousUnknownBrowse
                              • 88.99.137.18
                              Revised Order.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                              • 135.181.212.206
                              RFQ price list.scr.exeGet hashmaliciousUnknownBrowse
                              • 88.99.137.18
                              QT-2402078.scr.exeGet hashmaliciousUnknownBrowse
                              • 88.99.137.18
                              QT-2402078.scr.exeGet hashmaliciousUnknownBrowse
                              • 88.99.137.18
                              DHL Newly Arrived Parcel.exeGet hashmaliciousFormBookBrowse
                              • 135.181.212.206

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Cryptor.exe_e836abbe15fd21bd9d8e869876dedbd2785f8edc_88b93545_45a74e9d-6941-4491-bf8f-363911489167\Report.wer

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):0.9494283870414799
                              Encrypted:false
                              SSDEEP:96:aoFQlty6LoschqrW7qOnSKQXIDcQOc6IbcEHcw3y2S+HbHg/uAnQe88jDWps8Ovi:HUoAt50gStFjty3zuiFZZ24lO8o
                              MD5:708CDC4DAD3EA1D4D0C48029128E9968
                              SHA1:65ED1236109C75AF05E4ECEB1A7876B711109B69
                              SHA-256:7A426AD1AB0EB93D8A34F3EA68B9AE8CC1802D35A283D386DFD04AE0489E49BF
                              SHA-512:7A619B34CD427E7FF2559FB1CB8AF0B64A277B489936FD5CC09FFDB6BE6CB8A17C6808114A0D142A771785DDD5900A2DC8DF26D4E1D60FAF3C65A4B69A0A6CF9
                              Malicious:false
                              Reputation:low
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.7.3.3.7.3.7.5.5.4.7.2.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.7.3.3.7.3.8.3.5.1.5.9.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.a.7.4.e.9.d.-.6.9.4.1.-.4.4.9.1.-.b.f.8.f.-.3.6.3.9.1.1.4.8.9.1.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.0.5.c.9.8.8.-.f.7.5.e.-.4.b.4.f.-.9.4.7.5.-.a.e.8.2.4.a.a.1.4.0.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.C.r.y.p.t.o.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.8.0.-.0.0.0.1.-.0.0.1.4.-.6.c.1.5.-.9.1.8.8.4.2.b.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.6.3.1.8.4.2.7.d.f.4.a.4.2.0.6.6.d.0.c.a.9.a.5.0.6.2.5.9.1.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.5.f.c.2.e.9.0.b.7.b.c.1.a.a.4.d.0.0.c.2.d.c.9.e.0.0.6.4.0.5.6.b.3.9.5.6.e.4.2.5.!.C.r.y.p.t.o.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.5././.2.4.:.0.1.:.5.0.:.3.7.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4956.tmp.dmp

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Mini DuMP crash report, 15 streams, Sat Jun 1 16:42:17 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):191108
                              Entropy (8bit):1.3859024715960964
                              Encrypted:false
                              SSDEEP:384:DoMP4MIEYAlmP0XpXipY8TcbT5yo9k5U26EKvmT7:DnPwAlmgwkT5yo9kkXm7
                              MD5:BBB74D7D92BBC3B45B62D5371F5EC93E
                              SHA1:F8E25A50F2340F81147FDC6327D84E3AE6FC5434
                              SHA-256:60537337435CF67B7BCFE72889985CD97F2BA200E895B57AD25CE24815DE8F49
                              SHA-512:0D49C263228180C7B1546960FAA7ABF4B122FFF69EF585D8725C5EA410559851A591D0629B46F00EDA1F2C3A758208C6F3B5E4A41C29D251B57A3EDB21198869
                              Malicious:false
                              Reputation:low
                              Preview:MDMP..a..... .......iO[f............D...............X............e..........`.......8...........T............%..................................L.... ..............................................................................eJ....... ......Lw......................T...........1O[f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A51.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8858
                              Entropy (8bit):3.699062602813411
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJ6Pj6Y9Gwgpgmf2opDO89buwDZ3f4am:R6lXJyj6YMNpgmf2CuSZ3f0
                              MD5:2970A18A2F357F045EF1A194F54B2A44
                              SHA1:3594DD373EA663BD5C7DD3001A8E6869112182CF
                              SHA-256:835F2DE979D167CE367C56F394CD2618A27C02D8D94E6E6D2D3D94471B9CA44B
                              SHA-512:4AF25ABC5B32FA0D7197238438E705906D5F4360682D9E24B4C1E4391EA2E6748B09CC684F1220495C84C5D3597249AFAE9A62BDC9A80EA4F5AD3A2FEC863DF1
                              Malicious:false
                              Reputation:low
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.9.6.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A81.tmp.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4735
                              Entropy (8bit):4.426005407761969
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zsniJg771I9vMWpW8VYJYm8M4JIyVF/yq8vvTW2mOmsd:uIjfnwI7El7VJJISWLWJOmsd
                              MD5:4F3170C849015927B05E70F6BA85BCB6
                              SHA1:CB9E06D69A47E8896D453CEFA0A9156F3721830F
                              SHA-256:9966A9D4026A47D64334649668FC52B285E07F643F87814116046B52DB924C5D
                              SHA-512:732AD4F8DD66668AD4E7E49E4F7CD1786FF097EEF41725FD57EF23530C76926B04A66B14E4A2BC4E6CA299181F97BEA04C2D73A47767382EB66C6F791D69939A
                              Malicious:false
                              Reputation:low
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="348944" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):0.773832331134527
                              Encrypted:false
                              SSDEEP:3:Nlllulklll/l:NllUk/
                              MD5:5A73591A1E1C7267AFC411B693F2863E
                              SHA1:603AB1918E225C584AB896076F9A72B3C7394A12
                              SHA-256:611F40F5367A0FE36D9FFFC0040AC1A11190C8309134F9DF3AEA5177E04299F9
                              SHA-512:152D06A246F0E7874CE564A5C3257D1D203E643D3D6A71DDBA3049076E9D1543BA29A8137B716FE61E1C080490D0AC076F985F2AD2078C55C17B362386418A29
                              Malicious:false
                              Reputation:low
                              Preview:@...e................................. .........................

                              C:\Users\user\AppData\Local\Temp\Cookies

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                              Category:dropped
                              Size (bytes):28672
                              Entropy (8bit):2.5793180405395284
                              Encrypted:false
                              SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                              MD5:41EA9A4112F057AE6BA17E2838AEAC26
                              SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                              SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                              SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\History

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                              Category:dropped
                              Size (bytes):126976
                              Entropy (8bit):0.47147045728725767
                              Encrypted:false
                              SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                              MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                              SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                              SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                              SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\Cookies\Chrome_Default_Network.txt

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:ASCII text, with very long lines (522), with CRLF line terminators
                              Category:dropped
                              Size (bytes):3348
                              Entropy (8bit):5.8371611195815145
                              Encrypted:false
                              SSDEEP:96:4JMcoO2gFcRqFZL2buiCsNv3pfKUhRG3qsyXw4B2cksi:euFRiyikNy
                              MD5:26DE0E8E10E90A47229AEC7215CCD2DD
                              SHA1:631ACCA2F37A1191AAB5786BC4CBF8D67085930D
                              SHA-256:7C2C1C38CD5A51DEC76A80A18C1428151A8AB8E8AC21C519BF3E18D53B4261EB
                              SHA-512:E5AA19052EFAB810E196FB2E7CD7061CFC28E3AD881DB1DEA65CD94F748812086CE455ED44001FB7676DF515B62F8141010EAD9EE6343AC18B25901CC3C24D8B
                              Malicious:false
                              Preview:.google.com.true./.true.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.false./.true.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.true./signin-oidc.true.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.true./signin-oidc.true.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.true./.true.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.false./.true.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f

                              C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\screen1.png

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                              Category:dropped
                              Size (bytes):908225
                              Entropy (8bit):7.548212698914831
                              Encrypted:false
                              SSDEEP:12288:UUQKIVKqqdrYq3oh+3p0csucF7c6Bo/HkOFNSf4zuy+0efVbr0B:GKeq+qXp05rOZt
                              MD5:CB37B883C6A54A36DDD4D0FAD712203E
                              SHA1:5A65BE9D721DFB3A140EB34A53F19C1044AD226A
                              SHA-256:8C387092BA8D7C275E42B7FE421C285A238831DFE1B5F1AF148293DC7A079154
                              SHA-512:E9DB216867BFBC419048CDA654AE8260B02DFB09BB896BDAFCDCE854C7E0BE7624FBEA5090F64307ED4F5043DEED84FE951CDD3FFEE2C9A82474F55DF25D64A9
                              Malicious:false
                              Preview:.PNG........IHDR................C...IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                              C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\sensitive-files.zip

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                              Category:dropped
                              Size (bytes):22474
                              Entropy (8bit):7.832332347635486
                              Encrypted:false
                              SSDEEP:384:cn30GP84P85Jdvfv4mCX1Zan30GP84P85Jdvfv4mCX1Z/:S8E8hvfv4mCFZo8E8hvfv4mCFZ/
                              MD5:93E2A3886DF9E8D70563422D3AD6C361
                              SHA1:0D36A9B9EAF047958939E11A47524BF20ADD6AB2
                              SHA-256:4377AAAA38C50318381A2F563A8B406B34FA128AF651687172A2F7942DB7E155
                              SHA-512:4B30B3186D462905B0F302F86AC6A75C4A5FDD9156C8F2B49A311A6680B7A1CE4B57538D397E02AC6A0A03518951175D1410AF97E92B162F76CAC4708A96D1EB
                              Malicious:false
                              Preview:PK...........X................BPMLNOBVSB.png..I.E!.....R.QqD....-.".Jt+...S..f.i..A..\..b...*f..]..L.J.ZK.7.7~....[....J......u.<...|g7.$..@.U..dm\)uU.f..5..u.,.....1.P5...D.%5..M.q..gS......k.*....k.?......Q.7.........jY.,..L....\....CJ....)..W.Y.,...J5..:..8..h..db.=6....y.[.a%...3..\.....3..=D.....Im..P.....E.Dc......s........!.....}n..R).t./....V...y../...n.(..^.a$........G...{}.)gz.h.>...:|....p.m..0.B;.D..$Bo5..}.U.K..>..N.C.o.8..|./3Z>5...Q.n.......<...CgQ....9KI'.]F..z..B.pp....SwGGt.K.W.e......A...=..;.#.u.Cv2...7Vc.|j.KU..j.k.......Sj..Sh_..N0L$ 6....z:.....{..gI.O.........(pK.....3sf|...&De>.}........{OU.1.p..:...?..6~..W.j..~PK...........X...............DVWHKMNFNN.pdf..Ir@!.D....?....p...l....aeA..K...E.....[.ph..kQ..T..j.uUnVT.$U...K7+}lZ..I.](.X..5b>..M.".uSl....u....|.c..'}.U ....2.'....U0A..*qO..v.9X.Z...n.E}....us..,]...[g.:..-...6:_.PK...H...=..P...q....).@d^..Ou..W.S.=.....d..[!..L...rr]C.M&S.E}.e:>K.[...U..

                              C:\Users\user\AppData\Local\Temp\KrSr3oDG90T7zCMx7IA327C3rvGRmc\user_info.txt

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                              Category:modified
                              Size (bytes):661
                              Entropy (8bit):5.332603480362023
                              Encrypted:false
                              SSDEEP:12:eM36nIQN3eyQ8Xx6YDrJFWlQM7NlVrbBQM3aWfgyIHdAej01+XaBLF:exVNbNxVpJM7NlVrbe8dOAejU+qBLF
                              MD5:03BEADEB7D6B70E93987B9D92E3E82E1
                              SHA1:20BA861D49A208AE7D8E9A3F3A0E74ACF251E5B0
                              SHA-256:5928A4B7B5EB601F1C1BE61DB5C2BFD88E692E4F9815AA6C3584F2CD34D4B3FE
                              SHA-512:D6D0068B42D8F082392ADCA8508A42E2F327EC757258684E39697DA0A75083DBAEF46FC3736F4CEDF4BC9852014F391A16E677BEB4FDDE69A033F507025D3CF2
                              Malicious:false
                              Preview:..- IP Info -....IP: 173.254.250.91..Country: United States..City: Dallas..Postal: 75201..ISP: Quadranet Enterprises LLC - A8100..Timezone: -05:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - S5PM3 (1280, 1024)..HWID: 5498421419228756..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\Cryptor.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -......Build:_____....Passwords: ....Cookies: . 25...Wallets: ....Files: . 30...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Others: ..

                              C:\Users\user\AppData\Local\Temp\Login Data

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                              Category:dropped
                              Size (bytes):49152
                              Entropy (8bit):0.8180424350137764
                              Encrypted:false
                              SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                              MD5:349E6EB110E34A08924D92F6B334801D
                              SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                              SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                              SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                              Malicious:false
                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\Web Data

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                              Category:dropped
                              Size (bytes):114688
                              Entropy (8bit):0.9746603542602881
                              Encrypted:false
                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                              Malicious:false
                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmnul4lm.aof.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3dqx1ws.mtv.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\out.zip

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                              Category:dropped
                              Size (bytes):937639
                              Entropy (8bit):7.5688433034573
                              Encrypted:false
                              SSDEEP:12288:GUQKIVKqqdrYq3oh+3p0csucF7c6Bo/HkOFNSf4zuy+0efVbr0yPqmwPqmp:MKeq+qXp05rOZOPqmwPqmp
                              MD5:6D7DA911A4ECB35DD8FD522BC8B6FCF0
                              SHA1:2A78D20A1F3F6737C7126B475F82A2B29352449E
                              SHA-256:1158F15E9AD5D0DFBFCAED152F6BC6ED74348A3353DA9D21394A4F6E0CB97713
                              SHA-512:5F33DC30A002B8B408AF65C925C3A3C0812454A44C596796A580B48D6C0E449F0BCAB74E67241547ED1EB629505488B2A6FDD02FF7FA39BA5E47BC443DA3B681
                              Malicious:false
                              Preview:PK...........X................Autofill/PK...........X................Cookies/PK...........X................CreditCards/PK...........X................Downloads/PK...........X................History/PK...........X................Passwords/PK...........X...C............screen1.png.PNG........IHDR................C...IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                              C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                              Category:dropped
                              Size (bytes):22474
                              Entropy (8bit):7.832332347635486
                              Encrypted:false
                              SSDEEP:384:cn30GP84P85Jdvfv4mCX1Zan30GP84P85Jdvfv4mCX1Z/:S8E8hvfv4mCFZo8E8hvfv4mCFZ/
                              MD5:93E2A3886DF9E8D70563422D3AD6C361
                              SHA1:0D36A9B9EAF047958939E11A47524BF20ADD6AB2
                              SHA-256:4377AAAA38C50318381A2F563A8B406B34FA128AF651687172A2F7942DB7E155
                              SHA-512:4B30B3186D462905B0F302F86AC6A75C4A5FDD9156C8F2B49A311A6680B7A1CE4B57538D397E02AC6A0A03518951175D1410AF97E92B162F76CAC4708A96D1EB
                              Malicious:false
                              Preview:PK...........X................BPMLNOBVSB.png..I.E!.....R.QqD....-.".Jt+...S..f.i..A..\..b...*f..]..L.J.ZK.7.7~....[....J......u.<...|g7.$..@.U..dm\)uU.f..5..u.,.....1.P5...D.%5..M.q..gS......k.*....k.?......Q.7.........jY.,..L....\....CJ....)..W.Y.,...J5..:..8..h..db.=6....y.[.a%...3..\.....3..=D.....Im..P.....E.Dc......s........!.....}n..R).t./....V...y../...n.(..^.a$........G...{}.)gz.h.>...:|....p.m..0.B;.D..$Bo5..}.U.K..>..N.C.o.8..|./3Z>5...Q.n.......<...CgQ....9KI'.]F..z..B.pp....SwGGt.K.W.e......A...=..;.#.u.Cv2...7Vc.|j.KU..j.k.......Sj..Sh_..N0L$ 6....z:.....{..gI.O.........(pK.....3sf|...&De>.}........{OU.1.p..:...?..6~..W.j..~PK...........X...............DVWHKMNFNN.pdf..Ir@!.D....?....p...l....aeA..K...E.....[.ph..kQ..T..j.uUnVT.$U...K7+}lZ..I.](.X..5b>..M.".uSl....u....|.c..'}.U ....2.'....U0A..*qO..v.9X.Z...n.E}....us..,]...[g.:..-...6:_.PK...H...=..P...q....).@d^..Ou..W.S.=.....d..[!..L...rr]C.M&S.E}.e:>K.[...U..

                              C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                              Download File
                              Process:C:\Users\user\Desktop\Cryptor.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):32768
                              Entropy (8bit):0.017262956703125623
                              Encrypted:false
                              SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                              MD5:B7C14EC6110FA820CA6B65F5AEC85911
                              SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                              SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                              SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                              Malicious:false
                              Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.465541807552734
                              Encrypted:false
                              SSDEEP:6144:0IXfpi67eLPU9skLmb0b4bWSPKaJG8nAgejZMMhA2gX4WABl0uNddwBCswSbt:JXD94bWlLZMM6YFHb+t
                              MD5:47FA6E0632BE54D06A1D50649B01ADD6
                              SHA1:FBE6096F8F73E81AED3114BB238B41ED47B50C84
                              SHA-256:F3370649E937646A1AEE1CC2605F91C820D0C0810E84B83588896F2F2C95DFCF
                              SHA-512:716E906B81CD2650600EC968CD67CF82B48FBDCDDDCA3E2DB6E698A1CC2D0787F7611C8BF09F0A57129B247CC4366EA1D8A97532F5B0CE75072377FBF68414A2
                              Malicious:false
                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.b..B...............................................................................................................................................................................................................................................................................................................................................RL..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                              Entropy (8bit):7.788984142487068
                              TrID:
                              • Win64 Executable GUI (202006/5) 81.26%
                              • UPX compressed Win32 Executable (30571/9) 12.30%
                              • Win64 Executable (generic) (12005/4) 4.83%
                              • Generic Win/DOS Executable (2004/3) 0.81%
                              • DOS Executable Generic (2002/1) 0.81%
                              File name:Cryptor.exe
                              File size:3'037'184 bytes
                              MD5:4ca40d9d318d97d68fcb518e2c4fe07a
                              SHA1:5fc2e90b7bc1aa4d00c2dc9e0064056b3956e425
                              SHA256:7f988e3a23998e57784262affa784e9cc63ee9494ece3bf5274a7433f4ffab46
                              SHA512:bc3133b4c1da31037eaa2313e427161e7402be8e305e744bec00d294e6c7c95d5abba1bf45dbcf861935224d9213c190392443ca7447e0c6c71e512eb5dee7f2
                              SSDEEP:49152:yG3XVai+IaMqPPgeT+B2GDsp8aTvMf1p8LEh3ZDJgD3WIPvozJO7caDV2aK:yqXVD7deT+spnU80JDJi3WgQtAVDcaK
                              TLSH:DCE533CF951086DDF3E3F2B58B39B885D792A82A9B0EB0171EF5359422B68F015DF601
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.dC?...?...?...6...-..._......._...2..._...6.......)...+...<...?.......[...%...?...8...[...>...Rich?..........................

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x140545760
                              Entrypoint Section:UPX1
                              Digitally signed:false
                              Imagebase:0x140000000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x664FF26D [Fri May 24 01:50:37 2024 UTC]
                              TLS Callbacks:0x405459de, 0x1
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:e8effc9201cf1e60acc68af88aec3bd3

                              Entrypoint Preview

                              Instruction
                              push ebx
                              push esi
                              push edi
                              push ebp
                              dec eax
                              lea esi, dword ptr [FFD1B895h]
                              dec eax
                              lea edi, dword ptr [esi-00260000h]
                              dec eax
                              lea eax, dword ptr [edi+0051E7B8h]
                              push dword ptr [eax]
                              mov dword ptr [eax], 0F61AFD7h
                              push eax
                              push edi
                              xor ebx, ebx
                              xor ecx, ecx
                              dec eax
                              or ebp, FFFFFFFFh
                              call 00007FD0ECB77435h
                              add ebx, ebx
                              je 00007FD0ECB773E4h
                              rep ret
                              mov ebx, dword ptr [esi]
                              dec eax
                              sub esi, FFFFFFFCh
                              adc ebx, ebx
                              mov dl, byte ptr [esi]
                              rep ret
                              dec eax
                              lea eax, dword ptr [edi+ebp]
                              cmp ecx, 05h
                              mov dl, byte ptr [eax]
                              jbe 00007FD0ECB77403h
                              dec eax
                              cmp ebp, FFFFFFFCh
                              jnbe 00007FD0ECB773FDh
                              sub ecx, 04h
                              mov edx, dword ptr [eax]
                              dec eax
                              add eax, 04h
                              sub ecx, 04h
                              mov dword ptr [edi], edx
                              dec eax
                              lea edi, dword ptr [edi+04h]
                              jnc 00007FD0ECB773D1h
                              add ecx, 04h
                              mov dl, byte ptr [eax]
                              je 00007FD0ECB773F2h
                              dec eax
                              inc eax
                              mov byte ptr [edi], dl
                              sub ecx, 01h
                              mov dl, byte ptr [eax]
                              dec eax
                              lea edi, dword ptr [edi+01h]
                              jne 00007FD0ECB773D2h
                              rep ret
                              cld
                              inc ecx
                              pop ebx
                              jmp 00007FD0ECB773EAh
                              dec eax
                              inc esi
                              mov byte ptr [edi], dl
                              dec eax
                              inc edi
                              mov dl, byte ptr [esi]
                              add ebx, ebx
                              jne 00007FD0ECB773ECh
                              mov ebx, dword ptr [esi]
                              dec eax
                              sub esi, FFFFFFFCh
                              adc ebx, ebx
                              mov dl, byte ptr [esi]
                              jc 00007FD0ECB773C8h
                              lea eax, dword ptr [ecx+01h]
                              inc ecx
                              call ebx
                              adc eax, eax
                              add ebx, ebx
                              jne 00007FD0ECB773ECh
                              mov ebx, dword ptr [esi]
                              dec eax
                              sub esi, FFFFFFFCh
                              adc ebx, ebx
                              mov dl, byte ptr [esi]
                              jnc 00007FD0ECB773CDh
                              sub eax, 03h
                              jc 00007FD0ECB773F5h
                              shl eax, 08h
                              movzx edx, dl
                              or eax, edx
                              dec eax
                              inc esi

                              Rich Headers

                              Programming Language:
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x5460000x5b4UPX2
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5200000x14850UPX1
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5465b40x24UPX2
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x545a080x28UPX1
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x545bf80x140UPX1
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              UPX00x10000x2600000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              UPX10x2610000x2e50000x2e4e00a1acfd845da8c009c1a6d73a3a61451bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              UPX20x5460000x10000x600c305c9cfad767b08ef7a273bcac25795False0.3821614583333333data3.884559047710082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              advapi32.dllFreeSid
                              api-ms-win-crt-heap-l1-1-0.dllfree
                              api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                              api-ms-win-crt-math-l1-1-0.dlllog
                              api-ms-win-crt-runtime-l1-1-0.dllexit
                              api-ms-win-crt-stdio-l1-1-0.dll_set_fmode
                              api-ms-win-crt-string-l1-1-0.dllstrlen
                              api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                              api-ms-win-crt-utility-l1-1-0.dllqsort
                              bcrypt.dllBCryptGenRandom
                              crypt32.dllCertOpenStore
                              gdi32.dllDeleteDC
                              KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                              ntdll.dllRtlUnwindEx
                              ole32.dllCoInitializeEx
                              oleaut32.dllVariantClear
                              rstrtmgr.dllRmGetList
                              secur32.dllDecryptMessage
                              user32.dllGetMonitorInfoW
                              ws2_32.dllbind

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jun 1, 2024 18:41:56.873008013 CEST4973680192.168.2.4195.201.57.90
                              Jun 1, 2024 18:41:56.877902985 CEST8049736195.201.57.90192.168.2.4
                              Jun 1, 2024 18:41:56.877979994 CEST4973680192.168.2.4195.201.57.90
                              Jun 1, 2024 18:41:56.878856897 CEST4973680192.168.2.4195.201.57.90
                              Jun 1, 2024 18:41:56.883677959 CEST8049736195.201.57.90192.168.2.4
                              Jun 1, 2024 18:41:57.715166092 CEST8049736195.201.57.90192.168.2.4
                              Jun 1, 2024 18:41:57.715574980 CEST4973680192.168.2.4195.201.57.90
                              Jun 1, 2024 18:41:57.721033096 CEST8049736195.201.57.90192.168.2.4
                              Jun 1, 2024 18:41:57.721106052 CEST4973680192.168.2.4195.201.57.90
                              Jun 1, 2024 18:42:17.205902100 CEST49737443192.168.2.4149.154.167.220
                              Jun 1, 2024 18:42:17.205920935 CEST44349737149.154.167.220192.168.2.4
                              Jun 1, 2024 18:42:17.205985069 CEST49737443192.168.2.4149.154.167.220
                              Jun 1, 2024 18:42:17.229381084 CEST49737443192.168.2.4149.154.167.220
                              Jun 1, 2024 18:42:17.229393959 CEST44349737149.154.167.220192.168.2.4
                              Jun 1, 2024 18:42:17.261907101 CEST44349737149.154.167.220192.168.2.4
                              Jun 1, 2024 18:42:17.265289068 CEST49737443192.168.2.4149.154.167.220
                              Jun 1, 2024 18:42:17.265562057 CEST49737443192.168.2.4149.154.167.220
                              Jun 1, 2024 18:42:17.265572071 CEST44349737149.154.167.220192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jun 1, 2024 18:41:56.863416910 CEST6278153192.168.2.41.1.1.1
                              Jun 1, 2024 18:41:56.870301962 CEST53627811.1.1.1192.168.2.4
                              Jun 1, 2024 18:42:17.194921017 CEST5062753192.168.2.41.1.1.1
                              Jun 1, 2024 18:42:17.203978062 CEST53506271.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jun 1, 2024 18:41:56.863416910 CEST192.168.2.41.1.1.10xf395Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                              Jun 1, 2024 18:42:17.194921017 CEST192.168.2.41.1.1.10xc55cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jun 1, 2024 18:41:56.870301962 CEST1.1.1.1192.168.2.40xf395No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                              Jun 1, 2024 18:42:17.203978062 CEST1.1.1.1192.168.2.40xc55cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ipwho.is

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449736195.201.57.90807296C:\Users\user\Desktop\Cryptor.exe
                              TimestampBytes transferredDirectionData
                              Jun 1, 2024 18:41:56.878856897 CEST59OUTGET /?output=json HTTP/1.1
                              accept: */*
                              host: ipwho.is
                              Jun 1, 2024 18:41:57.715166092 CEST941INHTTP/1.1 200 OK
                              Date: Sat, 01 Jun 2024 16:41:57 GMT
                              Content-Type: application/json; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Server: ipwhois
                              Access-Control-Allow-Headers: *
                              X-Robots-Tag: noindex
                              Data Raw: 32 62 64 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 54 58 22 2c 22 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 32 2e 37 37 36 36 36 34 32 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 36 2e 37 39 36 39 38 37 39 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 37 35 32 30 31 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 73 22 [TRUNCATED]
                              Data Ascii: 2bd{"ip":"173.254.250.91","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"Texas","region_code":"TX","city":"Dallas","latitude":32.7766642,"longitude":-96.7969879,"is_eu":false,"postal":"75201","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":8100,"org":"QuadraNet, Inc","isp":"Quadranet Enterprises LLC","domain":""},"timezone":{"id":"America\/Chicago","abbr":"CDT","is_dst":true,"offset":-18000,"utc":"-05:00","current_time":"2024-06-01T11:41:57-05:00"}}0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:41:21
                              Start date:01/06/2024
                              Path:C:\Users\user\Desktop\Cryptor.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\Cryptor.exe"
                              Imagebase:0x7ff77e8c0000
                              File size:3'037'184 bytes
                              MD5 hash:4CA40D9D318D97D68FCB518E2C4FE07A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000002.2568731192.00007FF77ECD0000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:12:41:57
                              Start date:01/06/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:12:41:57
                              Start date:01/06/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:12:42:17
                              Start date:01/06/2024
                              Path:C:\Windows\System32\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\WerFault.exe -u -p 7296 -s 884
                              Imagebase:0xe90000
                              File size:570'736 bytes
                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              No disassembly