Analysis Overview
SHA256
ea08f8b191ed0cda777cad59c42589c60558070288d1cf1bc9227361b9760734
Threat Level: Shows suspicious behavior
The file CraxsRat 7.4 Cracked By @Hidden_Blaze.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 16:40
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
122s
Max time network
156s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c130ae0a89da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af6000000000200000000001066000000010000200000001474937f7fe682f5ea090db9c864fe9121a199de77b0347a2480c8849a3b3bc1000000000e8000000002000020000000436f4c5f655bf793fc3d752e6bca5dc8f2b60e4d408714aaf8cea3aede033903900000000e9c20b454a460bfe8b7de18ce75d2817bf1cbebb37a2b59f3085705fe60505e377b823114331a56a884cf32fee2c2df85dfe737522230e4dd4d6c0873e47d4beed7ccb0463133594e4a152924d184b581aeb0e21b82a1025fa13aa6cb85526af0e382fc2da9e1c3a8a0cf579b691775d712a2fcd738e3bb9b9c3e4b91a90223531d89027366851ee5f840fc0c3b6ef240000000334d0c2ae48083e66f86774682347280fe78dee5856e426efaec80384cd10a0e41ddf3845630e5441b75013939ce8da4c16959137385802ae3efd49e4e2d1515 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D6D4F581-F4FD-11EE-A63C-D2EFD46A7D0E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418670024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000b95758198097e3448b00840f3782809293ab3cb4f1cd4e5690ffd5dd3f1a4294000000000e8000000002000020000000ec90129d6e8c43a209dd5e8606ea19f12d45d35217155173648eb43a0abcbe3320000000f60225eae0f41b993ba8b645e4f88814fdff92bb1059461716eab7a810a937504000000072eb750133b8ebbed057695ee2d57839e3112b66f63e9cc5cf59038cb6fa9fa7b06d9becae9274ee60d82257666564178861f9e1f64b5eb28e0c7ea53d7dc8d4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=CraxsRat.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar9BF8.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f5ce4abb3c44ddccc1c8a85c3f159e9 |
| SHA1 | cec4a00be1734e211c5908a090ac3641d55a2d0b |
| SHA256 | 0f77398cda8d2c62b495af6d557b5d4807094cffe791d6aa7efddaef710f1685 |
| SHA512 | 9553f940ce19adccfda091891260ebb85a1bb4d0274d9b5275d2aadbc52164b33ea06caf2107b3e43931c79d887f1c7cf302325521b05fa6c7122c69712d9dae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 479dfd2a0cfaecf41ed06185394376e6 |
| SHA1 | 0012669c3caf9cc794c268a75f911f5e3e333a10 |
| SHA256 | d74cac69dad860eba78a75114ccd2382f29b5dba7f415f665ace6b9c40c775b4 |
| SHA512 | c1b6ec6414d3bf0d6758447c9ca77d30244fb90bb93a27d85d855d611f132033c44fc926d2ff6bc81effc105dce8b14984fcec78b71846deb5917b43ecb0920d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9932d2c85f864beddcd3cdedfa488ee3 |
| SHA1 | 06e8e5a2430010d603531ccfa3f1a681fb526036 |
| SHA256 | c1f6e9f7ed4ab7976b5adece7953df00c5a868aa18d01608b6514b45541bd936 |
| SHA512 | 182cc813d26712955c9c539b68501c637a241cebb78fc93c47f8da59bfa7c93820399c608e1cbe33b0a281f1d86c5a42175af9e47870782ff89d11f3e31dc7b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87852d277546605da3effc0dada56a93 |
| SHA1 | 9a71eb3416846ab3e3c572df9b6c8dea6bf7bc52 |
| SHA256 | 3192b643f01e783fa5da121216eb61f7c5fb3c1a6e887a8296684c0feb50d72b |
| SHA512 | 73095a39c01bc4c10354f6a2d3e1a77409445596d322e38fc0d74759ff9e9a716e925b54668634c6e2fea6c6d879f803e4b30a773fc19c654f216a6bc3961b73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e9eab68245f22593802d626e96e743f |
| SHA1 | 020bc5bc50fbd5955ad581d96ec90382d951f5ad |
| SHA256 | 44403c935e1c42090083a632435285e0d5b49c2fd262684b1b9396f7f8cc7a6f |
| SHA512 | 84dcbe280089fbd8bbab3a20c421a4a849f8c8bff33d151bbb2e7f3a364049427fb39d14c329c0e059b145990074840b4bb1f4277ef81faeef27b564c9212f7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65f8c7e39f7decd1599530365019e6d2 |
| SHA1 | 324aacdf5e778aa9873301e4ea4c701e0ab91053 |
| SHA256 | d0a943609c274e99d1b2885df1eb9f162142bf554403b974dd021d0826471b4c |
| SHA512 | 00b4c3e604800b7f4afbc07322725fff16269665988081e13f6631a90613597fad7749532f46eecf86aa66339c9b96bac9b07ccc1e98ff6367773b1e069c8256 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53657b5076bede2310afd554b4ddaa44 |
| SHA1 | 2aa0e5f9149bda4cb2f169be7454c39b4b165603 |
| SHA256 | 754ed36896b2c6fcc405653ced78885b8ac53a75b17c8efb9e9e43ec9a4c9054 |
| SHA512 | e19e036c2436795a8fb95404ec2edef671a8e8b4b289604259dcb78c6105cd3911a0075f198b0650cae003ffd506e1b0f4adc230c49fd26d1be417bddf15d9f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02d5f323af245a86b27827b177422a7f |
| SHA1 | 236d44f30f6684552be954a35cb186d4c828b160 |
| SHA256 | 9fccc33216c56381e3234b09b491edf7432e63972b297ac3563437737d305d1c |
| SHA512 | 8e31ac14a6136df3e87e99f935604b69f957bb693ac552e64d9834e575be3de094bae27c3d77b3c0258846443f2721f39e6b1defcdebb3eae399d4ccebd0b1cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59a0ada67fdc728b94c6538d92d516ce |
| SHA1 | 8a6e48b28855c895b9296450e0be87f07aecde18 |
| SHA256 | 53c2ad8e99699ac1fe9ee80878834fae476ed50d91bb085b4e6600db05e47628 |
| SHA512 | c1eb55134b7ca742ba7cd9d7a515778884ef02ed37b47b429dddf6d3e01f61982af6c7da507e469b586c19427df10faa2e5034762af784d8666da02cbb40abd7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2135d4a5c068e43ac814d98b605a1ea7 |
| SHA1 | 03230626fda1fea052db0dde4be3ce28f9d181a7 |
| SHA256 | cc9f5a5301cd0b25c6b39ecda4ff040ab98e9a561c725a6d33105da5bbe89f5a |
| SHA512 | d9e7f88efef190870622cb70b3aaea1d3d56fef5c17a047ea1b31f8fbf4cda450eae692f388328426e094870f3628368b082741d1f65bd83a9420257776234da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e4634345111e15e7e6f91ded450fc0e |
| SHA1 | b3a73cb967ee6a1cbbaea218eea731da3c9b51ee |
| SHA256 | 00f9006ba8d185db531de45931c46bb4ddb8f2a158ca7afdbcc6bc914013bc7b |
| SHA512 | 88a85816c2b0f408fe55cf1f79181d5b34f95cbd34692d9d953f2ab811cad300284609a3b877aed4f636f23ae050ad5551389ca98ccb56c9cf56d465f1fb95d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3199fe01fdb131ad14886b72933f3458 |
| SHA1 | 268ace7da8f61316acdc80650d864fe5dbc7ccbf |
| SHA256 | b75fa48fb4677e1a6ab39e98f248c4487cc2befd4d30fdd4e6b6322a2527557f |
| SHA512 | cb2ee8b64efc46013836ca8ba04f302b5f361218a94bf3586f667eb6a875518d201757de3fee218b3df4db4019732828c7ab009559ce9b8f3847ccea8236c82c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2566ba82ca2eee52a9c50350152547e2 |
| SHA1 | 24217290b7e0126309e85f6dc3322ee2031602e6 |
| SHA256 | 13d983356943ae6b4478d60d4c03ad7f51663ce46b0b709d88b7fc8c722ad691 |
| SHA512 | 5b81e485ad3f58539ed4ccaf2e4384cc3eae7e07215e50335a2fb87bf78aba4ee32144510bba64722650d34d246953195b74b80cc6a54820e00a7f208b1384fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b53585c9dff534fdae8cf438732fd744 |
| SHA1 | 4a4ea19f7ae12eaaf8f0bccc6212423d68a43f72 |
| SHA256 | cc4feaa2c162bd4953bc1b3517446bf1d7cb16b8060f9d854d0d010c5d54727d |
| SHA512 | a2613f316480027ae1520d2f0d5aff8b3856e0e75ec91631cbb32ea89061c61bb3e6f9a614591c3541681c3ed326acb9ef5444c9cab1af14e5f2b1509b165a96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be068f5624a61126a26385c2a0e8b686 |
| SHA1 | bab3818f29f519e40b9e82f10d081411fd7f0a5a |
| SHA256 | fe48e62b036476c89fdc2f1eff0e458b60811bbfe79ca97bf1d141bede6f0254 |
| SHA512 | 90f76755ab813b61e5d9e1a3fda7afe3b9e900ab4e1ad65e2534594cf270df78f1bd5a3c04b0cfcfbf8d39e806f0c1e2f54f61913b5edba0e8afe407ddfb7d29 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f87cc9334ea29d9045f194d4be0f69c |
| SHA1 | 3c54fe0044e64ea607430d2a7939a1f42a727f49 |
| SHA256 | 1fe3d27ba805231cdfc80367604e19b147bf9bff54b45adab7ef57e2e9a6c6bc |
| SHA512 | 0aa1668c2993805cfcd19d0a2e587d574a3b4809233313a4af52c4161dc9b65124ce9e6ddd74cf890b3836c9e9237cb5e964b6cf5eedd2cb386009d80bd5c693 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8df69e02c1c132d79456b350bae1757c |
| SHA1 | 60048c0f9734c72abbfc4293f3dc299ece072e8e |
| SHA256 | bc9545264b112e33562ad0b668e086a0da4b91b8384758928742ffc0c6db59bb |
| SHA512 | a9f46428c700c800d934be0fc4df5d07589a6993a5fa76f063b913cb27e80a5eb067ef7c0499a1ba6e5fc41a9e6226c3d9073491364971e984b72cb95e3e176f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ed130f956d6a8013e7ccb883a91840d |
| SHA1 | 7ac70572221cda9946884ef787cf075b306bdadb |
| SHA256 | 7a7af661d20b5aa956020d4f3d2bc7d5f3dde0ab1b5143c54a724ac337d75913 |
| SHA512 | 437ffc209cf99f456abbfaac4e31e60aae25de547e368cf6a4150c516f136ff22c72de01cb47712987f72a90f810c0a8c5597dba2fc6e6837c5d9e0e7729a0d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2097436b3208a7ee5c09ea92975703ec |
| SHA1 | 43b1fc86676fc7821a4ce8509709aabee7eca383 |
| SHA256 | 45d1c33c5948468723ecb19359bc776217fa962e4ddad9d0b1c952640afcb148 |
| SHA512 | d266737ed98766ce36adc4a78d1356e5c64b4e91bae3583c6cb0d49ae0e4624113b212faa3fb3e2320b04478708fb9715bcccc938e6a04f6d4cd3cdaa4040e00 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\GeoIPCitys.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
145s
Max time network
158s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2352 wrote to memory of 2492 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\HVMRuntm.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\HVMRuntm.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:48
Platform
win10v2004-20240226-en
Max time kernel
164s
Max time network
320s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.MAPS.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:46
Platform
win7-20240221-en
Max time kernel
117s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.dll",#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
169s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\craxs.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240319-en
Max time kernel
152s
Max time network
169s
Command Line
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3128 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3128 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3128 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3128 wrote to memory of 3692 | N/A | C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe
"C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Hidden_Blaze
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Cracked4You
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4248 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4300 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4928 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5784 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5608 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6048 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6216 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=4248 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5224 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 142.251.39.106:443 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| NL | 104.109.143.24:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn5.cdn-telegram.org | udp |
| US | 8.8.8.8:53 | cdn5.cdn-telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 34.111.108.175:443 | cdn5.cdn-telegram.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 24.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.108.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| NL | 104.109.143.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
Files
memory/3128-0-0x000001A269160000-0x000001A26D240000-memory.dmp
memory/3128-1-0x00007FFFA6D50000-0x00007FFFA7811000-memory.dmp
memory/3128-2-0x00007FFFA5480000-0x00007FFFA55CE000-memory.dmp
memory/3128-3-0x000001A270CC0000-0x000001A271D2C000-memory.dmp
memory/3128-4-0x000001A26F110000-0x000001A26F120000-memory.dmp
memory/3128-5-0x000001A26FFD0000-0x000001A270176000-memory.dmp
memory/3128-6-0x000001A26F9F0000-0x000001A26F9FC000-memory.dmp
memory/3128-7-0x000001A26FA20000-0x000001A26FA3C000-memory.dmp
memory/3128-8-0x000001A26FD70000-0x000001A26FD9C000-memory.dmp
memory/3128-9-0x000001A26FE20000-0x000001A26FE5C000-memory.dmp
memory/3128-10-0x000001A26F110000-0x000001A26F120000-memory.dmp
memory/3128-11-0x000001A26F110000-0x000001A26F120000-memory.dmp
memory/3128-12-0x000001A26F110000-0x000001A26F120000-memory.dmp
memory/3128-13-0x00007FFFA6D50000-0x00007FFFA7811000-memory.dmp
memory/3128-14-0x000001A26F110000-0x000001A26F120000-memory.dmp
memory/3128-15-0x000001A26F110000-0x000001A26F120000-memory.dmp
memory/3128-16-0x000001A26F110000-0x000001A26F120000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\HVMRun64.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240215-en
Max time kernel
120s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2740 wrote to memory of 1336 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\HVMRuntm.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\HVMRuntm.dll",#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240319-en
Max time kernel
121s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\NAudio.dll",#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\System.IO.Compression.ZipFile.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
89s
Max time network
169s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2720 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2720 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2720 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2736 -ip 2736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\ChangeLog.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fffbaf046f8,0x7fffbaf04708,0x7fffbaf04718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17872669910445496740,4527299897490162798,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d6e17218d9a99976d1a14c6f6944c96 |
| SHA1 | 9e54a19d6c61d99ac8759c5f07b2f0d5faab447f |
| SHA256 | 32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93 |
| SHA512 | 3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47 |
\??\pipe\LOCAL\crashpad_1928_INQSJIZYMGKFPGCY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aa75870d024fb55d682e49113ac15204 |
| SHA1 | 5901a2444e976f79a78321cc560185d1439c71a9 |
| SHA256 | 28b4b071f1892c9b4688950e93d0e63bb6d07f70d701f20d01efe81ea0ffbd40 |
| SHA512 | a1007440d6bf1bb6e2be0a1e09c099f08c0b42f101e3a906a0645880d01e3a2b39ffef6ca14dd7bf85588f6cb7cc25e902a1f817bc65cd50a27a329a7a1bf7e1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5cdad38fbe2f57a817a5fbd342a23e3b |
| SHA1 | f098beac02859bc84b449897d3e4eb77fecd92c1 |
| SHA256 | 0ade8db502cc6856ae6fa7e3fb036361ba60d2b60502e1e3379a4a71170da156 |
| SHA512 | 084921772dc3a7753401bc206bed8533a48b1c6a9c84edd09b52172e3db2f6258de470114654ce5aef10586f5c0ac9eedce4e7b284d01958f16e3b50c2108304 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0dbde31b2ad7a5ed6a828344a76ede25 |
| SHA1 | 463fd61d4b125731a6ac530453f8c6d6f89bf50c |
| SHA256 | 965722f4e37f3149558350bd906b429691a9c4c3b816ca928312cacf3b3f3141 |
| SHA512 | b3356fd6f120aba3549f539e29eb2a742fe040ae3ffaf1cad3344053a0cfcb4aea363d4f1a3238b15c0b9fd05bc4774c08964af6896e98be7fdd9018a7c2545d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | c2ef1d773c3f6f230cedf469f7e34059 |
| SHA1 | e410764405adcfead3338c8d0b29371fd1a3f292 |
| SHA256 | 185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521 |
| SHA512 | 2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:46
Platform
win7-20240221-en
Max time kernel
120s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\DrakeUI.Framework.dll",#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
122s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.MAPS.dll",#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
137s
Max time network
160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240220-en
Max time kernel
122s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\System.IO.Compression.ZipFile.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20231129-en
Max time kernel
117s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\GeoIPCitys.dll",#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
167s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.WinForms.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
89s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\NAudio.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\craxs.dll",#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
113s
Max time network
186s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\DrakeUI.Framework.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
120s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\HVMRun64.dll",#1
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
122s
Max time network
142s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.WinForms.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.Wpf.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
121s
Max time network
141s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\Newtonsoft.Json.dll",#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
167s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\WinMM.Net.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
140s
Max time network
162s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d29cb60a89da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b5dd91f5fa28f4b535aa84357b20e92960eff428f13cbcd88cc070dedc0b483c000000000e80000000020000200000005875b0c1c89fa55ee81ad874ed97c69533c112f8b081b971033670ebb899e7059000000002b4be0d14c458f71a143f12cd44e9f575312af80d0a17a9a56d73335e55a8bd23a82c83d4cd5d34f1273e8adec03557b30e7eec1baca9a3dcd5733b6ca17b74f728376500dbe16eebbd2b3f5c219e5641b5063ce37371336a48444b14017dd2395d93c7d2073f3e140de10d550fb413a020f5ae68fff86ffe1506c9c5f28f14927128b6179834082b6e7b26d832e9c3400000001aa0626a707708165247c888118e4c7430a36caccc09e8f72269063b04aa5cf148e9724e2e4110faf6aff221aca3a38483feded2f731b1e3f9272014e5d4d95f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E14254E1-F4FD-11EE-A336-7EEA931DE775} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000001b2576655156ce4ac5afcb66c74acddc8e9c1f626a9c9a3d8c3711308dad784e000000000e8000000002000020000000ba6ee0c1787205c945c100bdba244078d79bb700de0cee6c9e71040e80b6c94820000000e0bd605fa1771bd529fd6d19bffc5f3c9a811d8b5cc9a2930cd76876ca8f53dc400000000c276b2ea2f2418733859312756b835b9429a760a2bce9a886b6e58ec47cf8a379417bab9e4a2646c8b7721f851faf33ee17f9716f4bbfa8c5fda548d17e97ff | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418670043" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2508 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2732 wrote to memory of 2508 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2732 wrote to memory of 2508 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2732 wrote to memory of 2508 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\ChangeLog.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab6B8.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar7B8.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6702dca99e3d79f446de36d8e932c90c |
| SHA1 | 086e6cf6a26fe13322980432350d788bb6797da5 |
| SHA256 | 3d16793f52d22661fd936561317638f89e14dd7722edbf3546bb5ba0078b4ccd |
| SHA512 | 7ff78472d5df7eefaa68f1bf3dfc8d81e24130037ddaef0aabe2d1f7bfd2cf77a191fe168308f194abc9c23b7c2bfcd774bb05d34e6cad83f503be28f201ad43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f2a6c4953b9551b8a559f222f35d455 |
| SHA1 | a434e18266ce88977ec5fdcf01e65a16a7ee646e |
| SHA256 | 5643d9f25bff85039e1b7868d5ed8ad509d2473127739a858148f057ab92bfb9 |
| SHA512 | 538dd9798557408fb1b84bd291a1aed75bb486b667bca56c53856c56269ac3afca1f8c7d18a52dc25598bfb25ff06cd274dfc40e8c5e860361c4bb3f2202ec0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da7922260f5fc847bf30afbe13577b4f |
| SHA1 | 099f1b5de868f89d655952deabfccc8bdc38583d |
| SHA256 | 483d4f87887dc7d47f9d35d7ef9860975f88cf7183cc866b6a92d9f8fc8e43c3 |
| SHA512 | 82f35feb72c97c43ff455c9f8d294417852879c60fb6293c8fb91d3ba7ab49916b3ffab4c5c627d999e9b5fb78f08452b2ab4a25055745ac80829d9bb213b5cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d834b4d5cc482d4b04bc6c1694be8f5f |
| SHA1 | abd138af55fee98cbfdb38793c336d59db4159ac |
| SHA256 | 83b8f63f41948e89fd002b71339b1948a73899320057a05e9feb06ee6a9f81a3 |
| SHA512 | 0f4e115807149cf5cd66558ea7924c04d86fa25c0daa9abcf900957ede13ab801686e98f9f764ef36e335f7405f3a4ffd571e8f7d2479a6c1ce5dcfcbc4ca084 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bfe3c495005f5fc62ebd2dd39318d52 |
| SHA1 | 8b1be5b748b1c14fb09255a42d54df85c0ca6bbc |
| SHA256 | ba73d6de3678c7022b456d2b38171a2da9ef1bdb36f68661ec28d9701674080f |
| SHA512 | 7fc3b03b3e067bc8767cb4014a57dab54a1f4fbd4e5580531698f673047703080a920996a359c012432d0e19da37c1716f82e04785c5a816f28e297a547cca14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c5138054bf7ecd87eea448fa5a61450 |
| SHA1 | dca44a1968c7f5aa853e8c6d0ece799a7ac12f80 |
| SHA256 | 5aadf3310c0090df2c03038360a199f17658cbaefb82d469715cb8fc1bc30c89 |
| SHA512 | 6e6df456794c321cc8c4e49fc589f4f2bb19d97e4403b47cdfadf14042bb4f5a7c2cdf7403666f56980ef1d06653f1ae0378df2535d1cc31735baf8f0ea17004 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9281450e50bcc6702f3125037ddb0c23 |
| SHA1 | 7da6488958afbe230fab4ffcdbef0e8dd21a8389 |
| SHA256 | 9e7c6d8080c0ed97620f82ca62b0541eb475bd63765164d5730a4d831375882d |
| SHA512 | 4bc058b38138ab364abeb3f2a8f5d4c6df8e8455326d3775a891cd2a0b29037d684a66133c355a0ee51f3cd2648a28f4f1dca0c04a9e0ea34bf92d8aff75bed2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b9c91588e0354f993526b9c29b7f006 |
| SHA1 | 4932502af1784e251bf3abd8c93a466a77c507c0 |
| SHA256 | 75032844fa6be02c97df2279c98a6904dc26baafd92a2f7969182794f06858c8 |
| SHA512 | 04bd8b1a902cc46fd3fc2b6f6692f588e5447c434795bf2224a287d84bcba63701febe01ddf53aa3c3672cafa304b35a4f192cc9cc033f2ca5f1020823716357 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab0614830f271effc8c0e43621b90d15 |
| SHA1 | ac536e85207a580e05fcee036b905f681aa03f6b |
| SHA256 | ddccb1d0a1fcd297f2f4efed23c65a5a608ac356ae2268033a17d9f8e40a9403 |
| SHA512 | bd93502ff7c924c603fc6691fb3a98b65fef689952b6c1c82e0f4a0817d72cad13ee4eed2a13fae8b34325cd43b4de96d8d3a55cba515949913e27fc65e66e35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a886dd005b9b6992b4c95df9a494f31 |
| SHA1 | e958d23a5843e994532d697749c141fdeb179360 |
| SHA256 | fdd87d4a1eec8c1984d133d93a278f9f71ceb4e0bc784446968b013c0f04307d |
| SHA512 | c08a1b5de5920fc7b4d407b3a62b48dd5868e0b4f09f1f2130d4ecbca37f9de468ebbb95f63f8d07513c20fc7e35b03044745e363096e370fb19143b772ccbdc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 23fdf092d148304949929c9e1ffa3a6e |
| SHA1 | 4887258c2c46d22d5b700383b1ed2031ef6c1be2 |
| SHA256 | 7658170f2092a0b8b7a2e349eeb13790f206f9c22c2fdf28e7349530664d646c |
| SHA512 | 46b9f931bc5771a1747dc91aa8908e63d15934b18efb33cb3b5283a31c7cfb364e149ad47055586facbc0a581a9e75aa3ec045dc928dbe1bcc5c6408392d5627 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dbbba99bfa6b7c7149ea50b3e898a656 |
| SHA1 | 2a813f2244da4d36fadf591d50b431d02eb8961a |
| SHA256 | 45b437f7fed111f9b3e1e760f5a487a7be39b82d183d516748ac697bd771cf6f |
| SHA512 | 8c073a4fc0e7fa3106b850a67a6b3226a5aac96643f6a8dcac9d5e355427c16cc77002207bd850bffeb8a389fb0017d679d88a68fece53d0d9639d4049362596 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9bab060df681180326bc04f44e6db50a |
| SHA1 | bb62a5d71592d6a8a7638daef050ce549ab0fc3c |
| SHA256 | b7fbccdaadbd58d7d37fe0dda60b3d435fe3190c98b092d5d5c59831006b63b3 |
| SHA512 | 9d289c2ad97a14f7a5251adf41a876a0271ea17f2a15d1c1838ca823eb344041993e882da10d443a42a769723f58f45588a9bf9a54ac0440f00e16119079440d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33cd06dd70384f68dd63ab4cf1b6c1bf |
| SHA1 | 3d89e3cdeab8901614a9db211fa253ff0f7d3c78 |
| SHA256 | 15d5942dd07c8b42419249f0d2e2f4a74758f55721115c2f8cd8cc50ef34c18f |
| SHA512 | f74c189a3c333679aef12ddc4275754a4ba072230ba553dc4526c8efc4c7a46084eecd1c81c96cce6d86fb187ca95abd4812800e72857c00a4dcc75bb55e8329 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28eb0bdf111cce1d446e499eb2bbef86 |
| SHA1 | 485cfc55fca71096026e42ce7af2eb8482058860 |
| SHA256 | d097fdc8663d36c135f78e9e78d0570180fe390a17c1b73342aa4970a65dd238 |
| SHA512 | a5d4ebc0e58ec7d63ae37134c1a8f7f1131f653510b07b9f6b6913a8071e807d1a640fb131fc60695894c1c5d5e1fc19484c936e173a20bfce5180b586487179 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 870a8be9867d6a22cfced4e5be03ae3b |
| SHA1 | bc0645d5db4a3bf9a12a779c9eb671252dabb276 |
| SHA256 | 621e1050c6f7ea541f2cbcf6e892f699a2407ba3abb2ee1b249669258fa09ec8 |
| SHA512 | 7f8a99804038edebeab1143edf8034ef183f177d0c81af0f83f48cd16d49df4ea55a0c116fc1a27020cb3520793b0ec899c6def40a1776585eec0241d4404e24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b6966e53898005f1f313cf4eb844645 |
| SHA1 | b6b0eaec5abcb2891669c9abc9ff5715bfe82c05 |
| SHA256 | 157ae68fdda01c846b100f101e7a323353a13521bb49cc95293371cd8745fd6a |
| SHA512 | c5bb18e826f8bc9a21300fc69f840cdefb4f5b15fdea477a1f24601bf158123a847e7a3cbfa2e299aa0256cb92f72f7e9a63b85e59a76b73c94359fdf34143f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 420307794c397ef67a7ea0e1b24c92e2 |
| SHA1 | 5d22420c2cca8215d741be836820028cdaa43ad3 |
| SHA256 | c46896a9eeb3b646ada7e24c9dbb53711c0b303242ea890dd47a6c0f34709a04 |
| SHA512 | 85bca94fd9389564001ee2523b90c193cbc26ccbd1c1f801ef0a85f1df27ebc6656753dcd6d1addd1ccfd80e736058fec3d681b8de92ca003035957e36138b7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e4d4f4ca871bb5abf5dd46a093103d9 |
| SHA1 | 43d43a2e1a65235efe0ffb24ad7b935521cfb107 |
| SHA256 | 54a6cd30c8dc24a31387208b8916f0cac7273e900b78d9fe3049280361fdacb1 |
| SHA512 | 9850788d05b19a88cd3a0c4511b6341d9f4fd62621b2e8db1ba4fbc56514e77ee150d02508875b4c9039e8b575b83ce1855bc372801bc6c62d9da212633f2110 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 707653787b0bba176f1986a3bee09464 |
| SHA1 | 206178c08495f5f6a2ae8b6fbb45a5ee819ea915 |
| SHA256 | 93d7f5d693e39d2bfdce2f6d3e808da05b018992e37a7ba57886fd2783f5a600 |
| SHA512 | 6688a49ba66bf543352727aae2d6d9d20ae0122554e613c5a109f2e684dbe90c06e6e8ce5d1bda411b38dfe252744f504d1bf896abb3d8cf782a99b2d254c8aa |
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20231129-en
Max time kernel
120s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\LiveCharts.Wpf.dll",#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240215-en
Max time kernel
121s
Max time network
131s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\res\Lib\7z.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 220
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
170s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\Newtonsoft.Json.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-07 16:37
Reported
2024-04-07 16:45
Platform
win7-20240221-en
Max time kernel
120s
Max time network
145s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\CraxsRat 7.4 Cracked By @Hidden_Blaze\WinMM.Net.dll",#1