Analysis Overview
SHA256
a3ecf063ef19a231915a6d72617700cb4d6a3f2742bb9ec5cf4116ab7bdf7daa
Threat Level: Shows suspicious behavior
The file CraxsRat 7.4 Cracked By @Hidden_Blaze.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Modifies file permissions
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 12:27
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.Wpf.dll",#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:35
Platform
win7-20240221-en
Max time kernel
122s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\NAudio.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240215-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\System.IO.Compression.ZipFile.dll",#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\craxs.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
118s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.MAPS.dll",#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
163s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1344 wrote to memory of 3312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 3312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1344 wrote to memory of 3312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3312 -ip 3312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20231129-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe"
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe" InjUpdate
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| DE | 142.250.186.142:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| DE | 142.250.185.193:443 | drive.usercontent.google.com | tcp |
Files
memory/952-0-0x00000000003A0000-0x00000000003A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe
| MD5 | 453821572a13cc6ea0736f9db6424e13 |
| SHA1 | 5f994bde8db4b658781756eaaca9416909a3a420 |
| SHA256 | b8c3871a5d6a473a2e9d08684a481aea7467a97d0a433cf55b127323ef61218f |
| SHA512 | 22468064ae306037d2b241e8a985ad5b037b45f6873e364f46d8066018533993e66834288227ae86e94e23511386f0afcf52776060b17dad11dfba4bc333b07a |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | c90af375bc40d0506c16b4ed75efccb6 |
| SHA1 | cd29f79b128ba67bc30e44e7a0365c5ffd3be376 |
| SHA256 | c6e3aa8b8b76b9e3b9df71b3f31d1b7a23f2a031099aceb68c39f38945b65dc0 |
| SHA512 | f0f9e9f6d92ebf20a5303be38e41f66fd052141f04db14ad1d30c974a4e4e70abd51340fe92658563bdb6a7587d9117883241de5bdd123a6e259123869dbabaa |
memory/952-25-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2716-28-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2432-36-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2432-37-0x000000007270D000-0x0000000072718000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8QIlOnDG.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
memory/2716-57-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2716-58-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2716-59-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2432-60-0x000000007270D000-0x0000000072718000-memory.dmp
memory/2716-65-0x0000000000400000-0x0000000000513000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
memory/2716-112-0x0000000000400000-0x0000000000513000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 528 wrote to memory of 3024 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 528 wrote to memory of 3024 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\ApkEditor.jar"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/528-4-0x0000019A2D580000-0x0000019A2E580000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 27668a4dec6370977488b727e0361aa5 |
| SHA1 | 918a49fdc0ba053dfc19808fc1eb87f46016746e |
| SHA256 | 0f70a9e3cb1d24cc84693949530c4d5648282c683eee71411ab4257f4ecbb7da |
| SHA512 | 7077c2223e03cb5d206fecf65c50466d0948cc198e00b6ca2ce4073848805ecc292dbcc4bf50d0c4ca2af416bdc527a6afe3680d70f7fbf3697bcfc2c35ceef6 |
memory/528-13-0x0000019A2BD30000-0x0000019A2BD31000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
120s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\NAudio.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
88s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\GeoIPCitys.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.Wpf.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
131s
Max time network
166s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\System.IO.Compression.ZipFile.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.exe"
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_Synaptics.exe" InjUpdate
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| DE | 142.250.186.142:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| DE | 142.250.185.193:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 142.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.18.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.185.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/4544-0-0x00000000023C0000-0x00000000023C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\._cache_7z.exe
| MD5 | 453821572a13cc6ea0736f9db6424e13 |
| SHA1 | 5f994bde8db4b658781756eaaca9416909a3a420 |
| SHA256 | b8c3871a5d6a473a2e9d08684a481aea7467a97d0a433cf55b127323ef61218f |
| SHA512 | 22468064ae306037d2b241e8a985ad5b037b45f6873e364f46d8066018533993e66834288227ae86e94e23511386f0afcf52776060b17dad11dfba4bc333b07a |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | c90af375bc40d0506c16b4ed75efccb6 |
| SHA1 | cd29f79b128ba67bc30e44e7a0365c5ffd3be376 |
| SHA256 | c6e3aa8b8b76b9e3b9df71b3f31d1b7a23f2a031099aceb68c39f38945b65dc0 |
| SHA512 | f0f9e9f6d92ebf20a5303be38e41f66fd052141f04db14ad1d30c974a4e4e70abd51340fe92658563bdb6a7587d9117883241de5bdd123a6e259123869dbabaa |
memory/4544-127-0x0000000000400000-0x0000000000513000-memory.dmp
memory/1168-128-0x0000000002070000-0x0000000002071000-memory.dmp
memory/1168-188-0x0000000000400000-0x0000000000513000-memory.dmp
memory/1168-190-0x0000000002070000-0x0000000002071000-memory.dmp
memory/1168-214-0x0000000000400000-0x0000000000513000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418654978" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEE21921-F4DA-11EE-A635-D2EFD46A7D0E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800db4a3e788da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000046ddffeca6726fe2e1f79cbfdd5b47b0b131fc14ece1cc89a2a9210dbd23e29a000000000e8000000002000020000000e9521fcf4686a84ce384548efbc74b31f6163fdb762a3ff497fdcaa699fcf25120000000d73538a8f9fc4792e7674ccd5e6d28134ec8d34e6c59a4e6e6f68402bf05ed5b4000000097a8eaa7c3c72acd3fa2e3c4b69528423a10ac6059c5e971f3ed22378ff134d4481211013fca553935713d787a720618ef69e66d41c007e924f6ad83d16cb1aa | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000b1648c498f2dc607d2856ebaf9037c1674915e6f19f64ce430db0b5d8ec4df21000000000e8000000002000020000000890a127c56c95ed8d92741f954f2a0e60fb3a26c5e2895d26092424f51cad2809000000069c6bba50ae52fd8a11262ec9eedf8708b0004467c6ab5128415fd945c07a241b1b46e37143c3315916c7a40435196488bc43ee97cdf9ee2cc2477fa8c2b554f6c3f54d9c71103bffdbf413c9948d85883b737f5e5fefa2c5905a4913d25ec14bb029c743820c70638a3f79bbe079af9093554a7d9d90a17c670c51972d13c30f92300cfa201db147a2d19b016890869400000001c581fd18aa22e5dd39c4e27fef708d7209a0894be7c202626bd040b806914d0ed0306d79cb6a3fdccd85c95a0895215aa7fe4b06a0405488d54777eb9a1237e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEE47A81-F4DA-11EE-A635-D2EFD46A7D0E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/Hidden_Blaze
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/Cracked4You
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1196-0-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp
memory/1196-1-0x0000000000850000-0x0000000004800000-memory.dmp
memory/1196-2-0x000000001EE50000-0x000000001FEBC000-memory.dmp
memory/1196-3-0x00000000222C0000-0x0000000022340000-memory.dmp
memory/1196-4-0x00000000003D0000-0x00000000003DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEE47A81-F4DA-11EE-A635-D2EFD46A7D0E}.dat
| MD5 | ae7bf3af1ae45c33b56a4c2d6601fa56 |
| SHA1 | e12d385694a0add7c5468cce9c616d818b247043 |
| SHA256 | 8aa8eb69d1bdd6dd7edd978df49682647171f515c0b92acb309e00f35ed50066 |
| SHA512 | e62eb9422f6e4f55de0844198f24f148fa9704d3c536c71569e8b4d54bf7b465d784f8f6b8729b1d09fb878a05ab57d2e97769198c924a322ca4993974f1d4c4 |
memory/1196-6-0x00000000004B0000-0x00000000004DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEE21921-F4DA-11EE-A635-D2EFD46A7D0E}.dat
| MD5 | 7b661e82ef49115a8eb8be75e4c5035b |
| SHA1 | ffe6aad5fa6bdaa72c0a92acb3b8e5f623f6dc34 |
| SHA256 | 52cde6e67a60fa95f5d44394d040c316ab82d7a56050a512020f4398dc4f4755 |
| SHA512 | 1a1fcc0b30347b002492ba79647a57b0339bf04b937696bbe7aeec01ffe8586a71cd2c72d26c5cf19da11ff5bcfd1321023999d2b8df1228e3911e3f404e4e0c |
memory/1196-8-0x00000000004E0000-0x000000000051C000-memory.dmp
memory/1196-9-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/1196-10-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/1196-13-0x00000000222C0000-0x0000000022340000-memory.dmp
memory/1196-21-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp
memory/1196-22-0x00000000003E0000-0x00000000003EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6AB7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6B99.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58fded93ba220f4e842f2f5a00cb6f54 |
| SHA1 | 0c1d8022c477666eac2ea8b67e18d637bb3ac39a |
| SHA256 | fa6c7b3542be3aa66e972b3cc33c94804aeeae89915d628a7dfbc1b4ac34e644 |
| SHA512 | 9bd2b1951ae1dfab81f6062fd0fdf0ec76b454b19a44e897bfc0d2845d376e147ef0b2ea034ab77736e1a1f54ace001ca61c7011d1a34b62745d93444c1a21bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35ef1adcb5993bdcd86f71ec4ac6f041 |
| SHA1 | 39b4bad8c77a9896ca36b46375df73a821385222 |
| SHA256 | d0006e29c7a3b7fe5a6d2182c43ffccdd7b34d18f56c43252b724cf88e279f3a |
| SHA512 | aef52c0586624d12e8d2482cad9bd902c36149b93d6fc5b7ca6e0740ecfb79895750639535e6ef97b41007385866cb2b54dc46778607e3daa56af24dfbc8cb6d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7a7750bbcd42a72208b9c18446d73bc |
| SHA1 | 142e798f6a9d2342f193e8362ee64c2ec7b6f0c3 |
| SHA256 | 75e00d62faf37dd825f68af444787656963437baedb466d988c8b86e1932e63a |
| SHA512 | a0566565912bdc1535e90f935bae18fc153e35b1e298d7988306dd021c75c54f9f730504e888c38a25d1e76fdb8322c73261bda48e18eb7129e33ecf86e3303c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4f1e47e5bfd9cfe56d1b1d6adbf1b20 |
| SHA1 | 18e693505a588fd0e94cc4e1e86f471be7d491bc |
| SHA256 | eeeaed275a3391cde1ba446856f72e11f3f45f6f526790f9f252f977bf685906 |
| SHA512 | e1286093cfba4cd1db8578f00bd0719e5be61e20e083289d74a67450a1fb252cc0703f4d43736fe1eaea37226de49c52eed690d693f71d5ac58e926160b033a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ad6f38ba7776909c4a0852eed20864c |
| SHA1 | 5b28ab898680f6381a9f06ffbe5c14edf24d4ee8 |
| SHA256 | 8a4532d770982a692b015197db1a5c00f1ff92c8537fb12c849189dae7e17b27 |
| SHA512 | a709f9cb6b6e275cb58619738258008a9a6768f2bb4cdddb1d21656423c3fb83a752d812de11a7709e02779c3eb8137192b37cc7191894a4811cc395abeddd3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39d1c6a906a5723726a3987968f5799f |
| SHA1 | 599d77192ba78547673d68f2747f9e24f957081b |
| SHA256 | 9c11b8263887db5931cac3b51315667f0a987c2961a490c41843dbdaed0b2cf2 |
| SHA512 | 8a1b7a0d51ce1c016e869f5caa958e9eff782bd19f5f40a9216de7e19043593a21994b614d1e9af9c8a9d0c82ffa87da97181ccc171559b19b6e07e474256272 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb4335c1b93e7022d8f76f1fde70ae96 |
| SHA1 | 2a8b1508ee742f6df09b20d2f033edb4d184895e |
| SHA256 | 68229a1175599b2e2db9c9c121a7661362745e28ab484ec387c8c45a67971887 |
| SHA512 | f06e1bb2979d078fe0af9506ace0ae49cbe1d846913b55dee62b6bf4f2df50d658d2aa350ab727faf00b7147059e4351b9fc2a9c1b6a06aefc036fe08be218b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cc22364c7c35ab2515c390ffb2e1fed4 |
| SHA1 | 9686a2e4dbc48fbe84396666bc5c765a929b2964 |
| SHA256 | dd679c78fe95d453d6340776b5320dbff656b0d805f65b958a19e8203cbc743f |
| SHA512 | 0009cdb0956394721c8e8db25c52b96c3008dfb318ab736019667a5307389f02bd3c9655c2e90e8cb8137b0e56f542c0bec9b44ec03e1e12b07fb3e092ee81fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c569f95eb829921308481c57db1cbb11 |
| SHA1 | cefbeace8e4b7320d72f710ab454dd52f9cb6e38 |
| SHA256 | 969b240d042465c4cd64685a50130858f876cd643ee5c07f9433654b2e05ad56 |
| SHA512 | 1f8a845055c59978cd09f797f505d6b4515576c2b92c754edc4ff7455c691adad05982b8a9451050d5dafc4e37ad324025c909d7395f4c8b75c2596e34c5a817 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0f579c6dd775a836774116ad132fc7c6 |
| SHA1 | 1e65dc31f9fc4aa4c624a4c7661b3faafce24c99 |
| SHA256 | fd4c9b307dcc44644fbb548202b49d10fcee6449cad86c8776b50c3eacd4d34f |
| SHA512 | ec034af1bb5f2775958a372e8baf28d7a5dff5e49f793080ca127e0973cf3fb9159b8bd1aba88234bc4531d00568573ab0557943801867df4fae3bd3f64fbb3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 116d499b6032abc611cdd104a1f9e8c6 |
| SHA1 | dc21453c878dbfcaf3a9e0d664c5ffb7fab9f234 |
| SHA256 | 7184800a8d4ae4d039cf3e34fa2f4f5d5250e4779efd911d59eb87171b2c29c3 |
| SHA512 | 169e5402b449ca7b522af8d81fc4839ab18cd381045f5bb909ea7a28e301b49d1cceb61475db1c93537d7b3129a5bde282a893f469af2b4a5e9762f19b538012 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 569202c6540370926cfb94efb1881721 |
| SHA1 | 3dee11c55f265ef962bb3b54812c60d12427755e |
| SHA256 | b131986d77a41300de6085cd4d6b3016de82d075af02dccb3aca9335fec9ea39 |
| SHA512 | 764e1bf98d2102d5852a2073185a24c20e96a4b7f426f52b1c70e52c15868850487970666b7fe4bebbc97007cccfe159112f3325063ea1a292de9430f29192d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01d6c3062beb5ec22d3cdbb0103f81a9 |
| SHA1 | fc268a47747fc32cb4b2f38dafd03865769e5d73 |
| SHA256 | 1d33d5cf7b1e20f0ac8c65e23d6e705643400d31b29588297d29b4ae5cd02b80 |
| SHA512 | bc874b802425b710c13bd57b4240c4d777e3a4f5b3436e39a1b5b8905550040fcc2fd10bfc19af973a75feb91e31f5329d584254fa7c6b1bdf87864f9265bfe1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fa9dbad356f7d96cadd27e4d43e93ca |
| SHA1 | c15617909d891ba08fc28ffad608ce35adac4609 |
| SHA256 | a9e64a9389fc1660b977ad5c96b92d164008e2e0b6cab6e63e091bd6836daef4 |
| SHA512 | 2a4cd9eea19dae699a2aff8c1d68699592843c79f799969274c1b40dc0aaa479b45b4851f1434ad15522782e8ef13be5a65ed2c0ebca035ccfcf5198e9434aeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d63749b5a4a84897ad9c55ecb9c8633 |
| SHA1 | a738837b920dc80c21ec1db926f301ab4b1f2a3d |
| SHA256 | 0cf35f908f7cd3216d461c10afe0526ce5ce968fd8c7b96c21f61d71219f6bb9 |
| SHA512 | e7fdd469c160c8502bdd874d2aacac2acf421a17e21b8b627905c9b4d845b429e48b9a537d8fcf775e590c76254770d6c9b1dc2816157a944f6c35faf6c40a0f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8065459b5e5f3edeb4b749c207009238 |
| SHA1 | 5dd2e253e493be8eddd402873c3d6fe6466ef7b2 |
| SHA256 | b923d93a7f54fb846d693887df33c8a20043182435f574ae2ec5b516ac6ac08c |
| SHA512 | 4553cc9b6acc2e412d5e053d1f5506aa1125b5419d4b6507561663e7f5d859a9251a1f3b7e265a10dd218ddcaf221c66922ce948e6862f6920e2255499cd3421 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99a0c706fc198f4cb05a0c5e588a179e |
| SHA1 | d08299914604e7e7d0933169306b8230949c9d47 |
| SHA256 | 068dc85bb9d9751e374886ef76bf3428cd050ac2e87cca8793f70fe0072428ad |
| SHA512 | 1e1ac8da63f93f11fe69fc61a86e7abf410c4b24c5634bc88311aecf6d797a8dc201b71919566f7c0a75af1d4e9bb2cc0d50102de1c404823287a29e75c1f4ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01a601acfe9709c6fff373e77cfc8e85 |
| SHA1 | 1f1658dc6cbf5c702f3571e07fff5d15f7c052bd |
| SHA256 | 02dcef6cf7ce3f8741403ea30f1b865c7dd36bdd06e91a4a49f0b639382626ce |
| SHA512 | 42f84b880c758387059c07d8ed7e037ce18345ac1e05f6b0a8d61a61772cdbeca6c6bc155de1d4428658f3b03045c911960193700bc5cde523700d0ef387bf99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2010c5d6c64fa7554933f2e34475a0f9 |
| SHA1 | e776aecd0d1574ba7de4dcd81e76b7304590fc14 |
| SHA256 | 4d1768384c1e01226f0781c03def154de44f895613dc4b4176d9586b97011de4 |
| SHA512 | 761da2e67cf2707bf25b7725211d2091c9d91269d82cad52a983fe40cf979a78df4aeacd7c3430c5e3f921401f7ce71f3c507edc100fc857e9d63faa2346a2e0 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.MAPS.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240319-en
Max time kernel
138s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\WinMM.Net.dll",#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| IE | 94.245.104.56:443 | tcp | |
| GB | 51.140.242.104:443 | tcp | |
| GB | 51.11.108.188:443 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| GB | 13.105.221.15:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
164s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\ChangeLog.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd23b746f8,0x7ffd23b74708,0x7ffd23b74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7028623880540397306,6750167788657616183,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5720 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9f44d6f922f830d04d7463189045a5a3 |
| SHA1 | 2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c |
| SHA256 | 0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a |
| SHA512 | 7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d |
\??\pipe\LOCAL\crashpad_4536_YPCGGTZHGINRMLCP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7740a919423ddc469647f8fdd981324d |
| SHA1 | c1bc3f834507e4940a0b7594e34c4b83bbea7cda |
| SHA256 | bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221 |
| SHA512 | 7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5d93c2758c0e2bf5497747f9e585bd81 |
| SHA1 | 7db2770d7750ad74186b9cda26c4fb9aedc6cb7d |
| SHA256 | 91b124e3488abc91ca089e3df2370d060955958aec998b5b27428497d46e8380 |
| SHA512 | ffb6772e675725a754449dde73cbeb13d3599ce66c2aecb4d2ec86d8330ae38a0104963786711f2c56e86f6b3eeda828c627c04336fdeb2730ffa2e4064772c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0b7157ffb07996c2b10e141e780d6120 |
| SHA1 | 032b0659a112a712b6df7c6a116ad4140d8e39bf |
| SHA256 | 3936741d544ceb285af0e2980053887c07032989612eef7acace27873366bfb8 |
| SHA512 | 0f21c60b2d514706e5cd6611964798fab96cea8ce46d4d796b49825579b520a6af9cb5aad798b51add1860cae192f8969de0e0eb682124aaad4b532d541b88a2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c6f93d45e48bed53ac0a49c7441254e4 |
| SHA1 | e50cd075b0777486730f9a3ee4626364263a044b |
| SHA256 | 47f449127027936cc30aaa5a79a6536f878b3a4183f135eaff203e6622770420 |
| SHA512 | 5f3a9c4b47c4d8154a0d27ace6501a603ce598707f3807efb65ce7ba6f4cbe0bdae11f33bdc69eb94aa98df2b5bfa220f75a052fb6366fab8a9b448be5eda300 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240319-en
Max time kernel
146s
Max time network
172s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 780 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 780 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 780 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 780 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat CrackedBy @Hidden_Blaze.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Hidden_Blaze
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Cracked4You
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3908 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4956 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5656 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4732 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5880 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5992 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6180 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6200 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5840 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| GB | 23.73.139.27:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn5.cdn-telegram.org | udp |
| US | 8.8.8.8:53 | cdn5.cdn-telegram.org | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | telem-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | telem-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 27.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.108.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | telem-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | telem-edge.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | telem-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| GB | 13.105.221.15:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
Files
memory/780-0-0x00007FFE2C0C0000-0x00007FFE2CB81000-memory.dmp
memory/780-1-0x000002416DFD0000-0x0000024171F80000-memory.dmp
memory/780-2-0x00000241755E0000-0x000002417664C000-memory.dmp
memory/780-3-0x00000241744E0000-0x00000241744F0000-memory.dmp
memory/780-4-0x0000024173D70000-0x0000024173D7C000-memory.dmp
memory/780-5-0x0000024174480000-0x000002417449C000-memory.dmp
memory/780-7-0x0000024174790000-0x00000241747CC000-memory.dmp
memory/780-6-0x00000241744A0000-0x00000241744CC000-memory.dmp
memory/780-9-0x00000241744E0000-0x00000241744F0000-memory.dmp
memory/780-8-0x00000241744E0000-0x00000241744F0000-memory.dmp
memory/780-10-0x0000024177CC0000-0x0000024177E66000-memory.dmp
memory/780-11-0x00007FFE2C0C0000-0x00007FFE2CB81000-memory.dmp
memory/780-12-0x00000241744E0000-0x00000241744F0000-memory.dmp
memory/780-13-0x00000241744E0000-0x00000241744F0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
169s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\DrakeUI.Framework.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:35
Platform
win7-20240221-en
Max time kernel
117s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\GeoIPCitys.dll",#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20231129-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.WinForms.dll",#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\WinMM.Net.dll",#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
117s
Max time network
162s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000006f97b0e7d6d462e8e360d8b9eb4b109483aa1b851f394862f54afd7ebb593988000000000e8000000002000020000000045cd1eadd4ca352fdda19e4303906cb11e6a40cef285a0b7c4c07f3aeb49ccf200000001d79c34024240d9b2a2bfc587a972391f243fbddb498a83b4c5b797e957f279c4000000029935f52099261fa9166a8f9b57c253921c41c0a06073bcd887baafb911448b1cd6161df61abb3d4e5d76f77b772de4ba9fa90cf13ddc3a3470ed9ec7a3eb5e9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b095e3ace788da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418654995" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D72DB1C1-F4DA-11EE-A692-6A83D32C515E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b868107741653d0a7f64200491a5fb266211cb92d5fff905694791e7c1629363000000000e8000000002000020000000041a9a4785a51ff5d7b300e20a6f949537406be3e90bf318f68930c8dabb565090000000bb511995daa6c9dcefff1c9b7d2b85bfe99aed01db3839ceb97fc6573298cb559a2d27625c04c7d6b467b654f4dd2ef3c298badaf3b040cb0c7e92499913c3e69767071e7ac72e1c481be733bf1f979b9b5bd4ae5c4433cd37a876d110e93604ec58995495b2ec89746f0b3c7afa208b7ef86dd448626e7dba40524e3c0b38df68ed1607489591b0e374f875b429ad7e40000000f1ed97b7208ff0a6b6b4696d9f61c755c130a3bf6475522617d4a7baeff0fdc8e40945553d197dc41502b0093005f6e50f3a0fe1923fa8d51cfced732e8f4a63 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 2624 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3040 wrote to memory of 2624 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3040 wrote to memory of 2624 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3040 wrote to memory of 2624 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\ChangeLog.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabEA33.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarEB36.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9096f14ae9a8f91c970d292d0224df99 |
| SHA1 | b2a7b43654fd6d15bb8bc3304c32c01af8d7bfc1 |
| SHA256 | 1f815070419196dc61a0dd6fc204efeb3b47698e43e19335848c5de229c1262c |
| SHA512 | 5f2a99b601813eff9f5a5a1395165c31bfb25264c8f024962b46faf767290aba98664d53a32f0d9ac6f0cd45345e1c043e0d54fcf5457d5b9eba03a4951f1289 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e657accca4a88e01f9fcbb70199f8ad8 |
| SHA1 | 24ef1d2e0d9e53ac8aa59d9b90316837708883c2 |
| SHA256 | 988c3c56da84d6a439591e814265124edbbf5125a29e81284fb8391b12bae21f |
| SHA512 | 8218dc929f9ec505d4d22777ac0fb9f10f6dceef4c1d440450f5f9832d17846972fca500aa3d5e8db675e4d7d43fa7ad5c057237d8b813c7de586aee98e5c43a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09c586b246a2e7702c7a7b4bafaead05 |
| SHA1 | f203af5a863ddcadfd7c298750a21e10134f49cf |
| SHA256 | d6fa7a2015efec6a1daed88bcb4f2f6f1abc11c381e3af7914fd18f5e5441993 |
| SHA512 | 554f9c228bbbb215ebd192f9e5faf8e9547168ee08033a122befc08b9bdd6323f3aa41c6c246ed5e9c54b2bfebd9a6eb380b9b2c6bb906eca6b422664a316d25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8acfd1d9121af670dd2dcaaa705f104 |
| SHA1 | 719e68e2b6cf1fdb7f2c5ed0dbb4bb36f7d64c4e |
| SHA256 | 3d7519fd182675e63fb5b6351215f131a6afdcaebd146084a63a47af4ccf2041 |
| SHA512 | 0094974d4b016fc81549aa29677a1eebed4860d9462cf23a283f4f37cf9387b0581ece6e9cb5d80e521672671f4bbe122d248a6ad019e327ebd6bcad597632ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93ec6a52e685db7b36983da1ffc5e4d8 |
| SHA1 | 0bb3d941958e168e7a3c07c1af6e560faa864aa9 |
| SHA256 | db4a6ab1c1325bb002366d676b585d047691905455473ffd739f81ebb608398a |
| SHA512 | 524563542ede95d5fe4aa400ce692df64a4fffdab8e95a1cb2034aa434f09cd28a2e7a2230ccef58136c21c7187bdb8bc5d69daa5638a45f573b656e647a5f93 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2f67501917e4cce51a5ffd954d39711 |
| SHA1 | e67962710556a278f61cb8713ad0cfee09e2e4b7 |
| SHA256 | ad7e63b11c683942f80587bd351c6957f24f05dda7fb0eaaebc9799e9256b160 |
| SHA512 | 2f5bfb9be2222da00bcfb0d923f826597c437519223ec8473561329afa7946ede577044343293463a93e6405b6db474e0e6b65951fde339e70b1564c902a7d3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab5336cee36ae47179432e0014ec44fd |
| SHA1 | a3073f8485688a499afabdb2181720404ac1be36 |
| SHA256 | 3e02f4b08104731c04077a9f638f88189485cbc9a2157c27b1b6c03bc5ae5308 |
| SHA512 | 10883f415fad243ad1b635a4d4a087973a8ee753ab357e8e0dfa89f90f91895a140d55c159756655c1d9a9573937f40953b7114f44e149e80ad662e6472e4f09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e274dea8e1108dc643d2cdc98080f26e |
| SHA1 | 4d887a2786bd4e229e4317cebff32bcefb9c4b9b |
| SHA256 | ccd208d3aab8d5fd2b0be3940ab52a3f1ed09f3445f633f3a23d4b2e00229c61 |
| SHA512 | 150bf9bc516bf8419488267ddc9ff8a2b1c2d9f1cc24e4a899732974043c427c05ae5488c7ca3339c1e675e1eb0bcb28bf4407fec341fb7c9fd8c950f29be1c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80c257e6b79f8f13542b1f45720af5d8 |
| SHA1 | 6b8c9039a20747fbe7e24d84d0a1e77f9cce69aa |
| SHA256 | ea7698f95fed248145bcdfd5eb83470294b2c16eb1da162102a104a031c2bd23 |
| SHA512 | 6ee5c407cf4321549ebd03ebf37b570cccc5b2dcf97c5b22bbf71a585f856ea295c068949398166dbb7f9c02328ed9ffc8cfea98f352bc537a711b6053ab7224 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a17942d23cc9725faa2f296e280bf2f |
| SHA1 | e1c4e490e65e2a7d5406879faf7c352617116df5 |
| SHA256 | cb738a91ea52f1bbc28e7426a855870462b9061dde0da7d3a6ac49a75e132df2 |
| SHA512 | 4afd55641bef3fa4c7c0afd44086f0546d5953e87c0e5978e6a5d6977ea5af80d2ab4fd04d984d9a2dea2a90aa99856ae9440c99fbe20afe0e1210066f4bffb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53178b92f8e4367c7ba5bbc37de87967 |
| SHA1 | 8efb7e62b85aef731ce43409884df023ee865e64 |
| SHA256 | d8cac358cc76f54cc6d7634403f843aff69f785dd78ecb9145d6866c83e43982 |
| SHA512 | d343302680eeb8a73a82f39a98182a3eff1627bca178150056ab659507d885864aa8b0e628a105e2cfefae4be5da2209d26618e433a4816f198383175fa3ae78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17aa2fa47dd6dc7afbf9dc09f2bf399d |
| SHA1 | 0dafa3df85b609707abbfc03c02f5d9f98e64d55 |
| SHA256 | d4ecf5707c6fabb6579d30d028b3b95c52d8eb5fc6bd64b80a51a0e9603bf3fe |
| SHA512 | b89380aaaafcbe494bfd769b7039a8945e620a783d789fa73581f56dbc5ba82243f4173378775a56f239ee71ecded413d77e4ca6db1f5c6f91c9fc2ba9ed2702 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2dd6fb6ae1a30a6e5dc3cef19ba17ad |
| SHA1 | cb750007639576f23bd13c02d9af82202460878a |
| SHA256 | 8790d6f9a07f8e1f817a53a50812c3fc5433ad4a418df424c9975dcef63c21e7 |
| SHA512 | 61e20269df04f6057ab5c097cd2e6d842c22a948cee8984eb2db93277c40a8ba9b17d0fd8b620aaca632d1a9634ba1542604d353935ce69d90eb95eeabc13a78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dffde51c1353572bc566d51af27af90 |
| SHA1 | b2a2dca7e38749b8bf21525466d72a493a0eeeeb |
| SHA256 | e30fd8007afd5a87b9be398001c144462f56d0d5251542b833bac70ca79a2909 |
| SHA512 | 7b2497f55e11eb3d083ab84b89970d77aed7615dda397b959b9b9daad2f837271a0e3cc64a649f311068c31aa5476c9054332619177506ef66ce865df6bba723 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a9da8b232e8ae8fa809bdb22e042dcd |
| SHA1 | 05bd2f31176f586bf748a59c58f2410c7c553411 |
| SHA256 | e1ebf48cf0aae5f39825bb0487955a0d3590ef902b46ce500893a0bb3cf349a3 |
| SHA512 | 543ee6b0b61ac9e9071bbebf0c2683c3116227a47e978128923187494665e81d2898e7d8b67ad602ec8887547973d88ed49dea4d61a17d73416f0c7208b533f6 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\DrakeUI.Framework.dll",#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.WinForms.dll",#1
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:35
Platform
win10v2004-20240226-en
Max time kernel
166s
Max time network
183s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\Newtonsoft.Json.dll",#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=760 --field-trial-handle=2264,i,7010714054498059916,1862725710331979271,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\craxs.dll",#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240221-en
Max time kernel
118s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 224
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:34
Platform
win7-20240220-en
Max time kernel
118s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\ApkEditor.jar"
Network
Files
memory/2928-6-0x00000000023E0000-0x00000000053E0000-memory.dmp
memory/2928-11-0x0000000000250000-0x0000000000251000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-07 12:24
Reported
2024-04-07 12:35
Platform
win7-20240221-en
Max time kernel
7s
Max time network
38s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\Newtonsoft.Json.dll",#1