Analysis Overview
SHA256
e37a2e844d1e25a064d475442d514b020e9950c465beee965df45f4e0f445c60
Threat Level: Known bad
The file CraxsRat 3.9.2.rar was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 13:01
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 12:57
Reported
2024-05-25 15:37
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 12:57
Reported
2024-05-25 15:37
Platform
win11-20240508-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 12:57
Reported
2024-05-25 15:37
Platform
win10-20240404-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\CraxsRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\CraxsRat.exe | N/A |
| N/A | N/A | C:\Windows\system32\System\SearchApp.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\System\SearchApp.exe | C:\Windows\system32\System\SearchApp.exe | N/A |
| File opened for modification | C:\Windows\system32\System | C:\Windows\system32\System\SearchApp.exe | N/A |
| File created | C:\Windows\system32\System\SearchApp.exe | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe | N/A |
| File opened for modification | C:\Windows\system32\System\SearchApp.exe | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe | N/A |
| File opened for modification | C:\Windows\system32\System | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\System\SearchApp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\CraxsRat.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\CraxsRat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\CraxsRat.exe | N/A |
| N/A | N/A | C:\Windows\system32\System\SearchApp.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\CraxsRat.exe
"C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\CraxsRat.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\55A.tmp\55B.tmp\55C.vbs //Nologo
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe
"C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe"
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\CraxsRat.exe
"C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\CraxsRat.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchApp" /sc ONLOGON /tr "C:\Windows\system32\System\SearchApp.exe" /rl HIGHEST /f
C:\Windows\system32\System\SearchApp.exe
"C:\Windows\system32\System\SearchApp.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchApp" /sc ONLOGON /tr "C:\Windows\system32\System\SearchApp.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hack4money.myftp.org | udp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| US | 8.8.8.8:53 | hack4money.myftp.org | udp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| BD | 103.149.73.105:10067 | hack4money.myftp.org | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 3d4d9dab4ede8e8dadcc924dda28edb8 |
| SHA1 | 9f971f2444dd4f3b55e2443c42db5d9523f72d72 |
| SHA256 | 0f62bfb7bf7596957b0d81aad06ad9c16e668b6e1b2e6d09cc972e5bc32fac24 |
| SHA512 | a578dffdc8bad591bb7fceaf5240a0374bf5411379d9e19682371bcb03dc1bcec61d9a1c0bbbabc5cce8a2229c10f88506aac5487d31b67a2bdf899cf0f9502c |
C:\Users\Admin\AppData\Local\Temp\7zEC32C42E7\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\ID.ico
| MD5 | 5d67de2e110c919d9086c0a5177512f1 |
| SHA1 | 2b94eda8410aaab46194effa2bb940dd4c7b1300 |
| SHA256 | dc1ff53aff377d325bff9615753ee180e57054739b4e076d34250830f90a9573 |
| SHA512 | 2de6c70c2060c9c047bb4d5133eda3fcd47571396bbc3b36ae11caa9f14c313ccd0536ff1e74ec8f81ca0b1898153864fe1c8923fa149dab08305c5bc4d699fd |
C:\Users\Admin\AppData\Local\Temp\7zEC32C42E7\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\Icons\Apps\health.png
| MD5 | 32bd051749a0fc05e1bb83707fb379ef |
| SHA1 | 479ef7feba3b01dc6aa39817104ab9f78ba6451c |
| SHA256 | 515a7cae5767ed438b9112de05d90bd36568cfa68d5284ce648cff45400fe0e0 |
| SHA512 | 3a80f3f0890337ef0294dd4a1b473a136b732438dfb125a3fb80103451b471919621952a21be4b0cbc3fbc7b479545711c9a5dc498121de9b7fde0f77128685a |
C:\Users\Admin\AppData\Local\Temp\7zEC32C42E7\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\Icons\Apps\s_translator.png
| MD5 | bc33c93efd4900d799deb3cd6a195b42 |
| SHA1 | 18a3527e1e4382e83fe50b470d8cc393d695542b |
| SHA256 | 5506ccae41f78fa556d449c2cf3aa95e6caeaecdce847eda5289037aa33c1824 |
| SHA512 | 164439b404d354cfefdf55aea30ddc28c6a0ff4cdbcf3986b003eed0fffd35f9740ad7add000363e05b774ca80897848e3ef68248897a58cb0f5282e1b701f15 |
C:\Users\Admin\AppData\Local\Temp\7zEC32C42E7\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\Icons\FillEllipse\Account.png
| MD5 | 39e0ecdb310ee1ddb101bca1823d67ee |
| SHA1 | 125750d6fb8acd2e2fc9095000beeb7a7ac042a6 |
| SHA256 | 927ac84ce42ea8dffb38d29807ebc2c0596ab845c38d75f0e0f448eaf915e843 |
| SHA512 | c27a884fc5571fa22c77253a3a04821d766b54fd2847f325d66b509b779398fb1c00b3a903ddd60aa3952a7ac049cf764f340ce11c0a3a53de6b8385411bdb68 |
memory/396-1955-0x0000000140000000-0x0000000140098000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\55A.tmp\55B.tmp\55C.vbs
| MD5 | dd3249267edca081408ea4a10be9ea7f |
| SHA1 | 73fc264a6d76973be2a2d62fc8fc4cde92915ee8 |
| SHA256 | 7a4e40317d9010f5da7dc993e7366444298acc7d3c11fd49bf25e5224fbabc1d |
| SHA512 | ba1147e3fefc6aeb3c615dc01724fe1730d47bfd8beaa45cf0935bd90b7787557ad624f8e44510df475e0e04f0266b05681999b5e4aa27276afef28a75ca0d2d |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\SearchApp.exe
| MD5 | 95294eb75db7be84fc88817e203c07cb |
| SHA1 | c93b6fb54160875353ddb085cd569d7b4ab38b21 |
| SHA256 | b5f284bdd7fa8202d094b3a422bd38a7802808dc2dba02b266b9caf3650116ca |
| SHA512 | 9e3eddd7d4ebef96666d2cadbb9bb901073481e370a23254e41cefa9187d4f6ab68736ae9094d559e5f65cfa8216eed71285bdbd6e3c50815dac01e57fe99e2a |
memory/2504-1961-0x0000000000D30000-0x0000000001054000-memory.dmp
memory/396-1964-0x0000000140000000-0x0000000140098000-memory.dmp
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\CraxsRat.exe.config
| MD5 | dd5a0508827ec5ef25064c18fbd73c79 |
| SHA1 | 32f9a8803107d28418437312fd0e52e564f0f753 |
| SHA256 | fdd077b07e6edd22678b2a29beee104daffdf56d545bbae1f39c632208a61d74 |
| SHA512 | 6fa7e2407b412e471c42162d460625e17a7dc7b76b0a236db1746645f75cf38806026f1084b254da204ce149e960da1a7897e472c58fe71151435fb94ae012e6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/1836-1972-0x0000000000480000-0x0000000003E0C000-memory.dmp
memory/1540-1974-0x00000000026E0000-0x0000000002730000-memory.dmp
memory/1540-1975-0x000000001B890000-0x000000001B942000-memory.dmp
memory/1836-1976-0x00000000170A0000-0x000000001AD98000-memory.dmp
memory/1836-1977-0x000000000C7E0000-0x000000000C87C000-memory.dmp
memory/1836-1978-0x0000000012BA0000-0x000000001309E000-memory.dmp
memory/1836-1979-0x000000000D320000-0x000000000D3B2000-memory.dmp
memory/1836-1980-0x0000000008640000-0x000000000864A000-memory.dmp
memory/1836-1981-0x000000000D480000-0x000000000D4D6000-memory.dmp
\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\LiveCharts.WinForms.dll
| MD5 | 76c775d09b24798f6923452e920979b5 |
| SHA1 | 3fe2c79512a0d1153fb07f6640b27106c90d333e |
| SHA256 | a5b61c1726304e6b72e09a0f35ddbf52f89a75a4e28e6ed098c8d1df6081b4ad |
| SHA512 | eacc093f8ac9401f617df7e07fd68a8a0f1f03aa150283de67ad8c338fcb1520b0f07335547cf533a646ff95f239c92b029f952a706e736bcd9508817c9be0f9 |
memory/1836-1985-0x000000000D290000-0x000000000D29C000-memory.dmp
\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\LiveCharts.Wpf.dll
| MD5 | e924f79f0b5f3e79c98477d75831813d |
| SHA1 | 64f71e20e1953b13c771d8a8e63549ad6d64216e |
| SHA256 | 1bdbb1b5c1a50653e5c26161e9b7c03edc518721a6e10ea180a84049d967106b |
| SHA512 | 063e9bdbdaf0accb46cef5fdb98b30a97b8a6ba097a80d43a9799ff73e820d1c56d41ca9f71d94497736e3def7fbd0109db4000ab1d9e46cdc96357bf3e15fd1 |
memory/1836-1990-0x000000000D8B0000-0x000000000D8EC000-memory.dmp
memory/1836-1986-0x000000000D850000-0x000000000D86C000-memory.dmp
memory/1836-1994-0x000000000D8F0000-0x000000000D91C000-memory.dmp
\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\LiveCharts.dll
| MD5 | 9642899636959b7fc89bf34a8b998a90 |
| SHA1 | 479a0254d1c9e5565c7d861bb77f54b7eae50c96 |
| SHA256 | 9fcf89837b60f69c1c501e4cfa4d2860887afd0b8f325803367e795a4e3bc9ca |
| SHA512 | 435dccb57ff3e9d0663770768c866838b19fbaa5b8e79de0ca111d9c73276f016e016d1d268f72cf3435ecac122039764fada952e1a4f68f368b492bb866c9a2 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\DrakeUI.Framework.dll
| MD5 | 0562b4c97f643306df491a938ae636da |
| SHA1 | 0807c37b711374ed4814a9518c9e264517de89a0 |
| SHA256 | 70e72477f7fe0018e043ce8fe2228a289459058ee41caecd6f05855898bc5b80 |
| SHA512 | c969cd274b6bf65a34f1d129b6531616a3485a1f153088609ad2369d380fdec37c3e88a423495912715a26e353dd5498f7f9e73c895e9f3f18fc7d1e65d2ecaf |
\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\GeoIPCitys.dll
| MD5 | c070f2421851420e832e4f5989a775a2 |
| SHA1 | d6af3c48ffbe0fa1e0e54860836d3bbf374b8b46 |
| SHA256 | d54fd6c5903eea49a75d620d4ba232f8effb1863f5f9c974e4ac0a8fb1904131 |
| SHA512 | 75c3edeb4c16d8e82eedc5595b9c3fde4cbd4a3e9deae1967ad513474920a48e4e9275fdc76f44032b1be570a4ece1a6393c4680af8989f67bcdec039d06798e |
memory/1836-2002-0x0000000023F20000-0x00000000240C6000-memory.dmp
memory/1836-2001-0x0000000023DB0000-0x0000000023DE6000-memory.dmp
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Config\Pass.inf
| MD5 | e1b54e517318b3b3363551e926b9e474 |
| SHA1 | cdd2df4411afed1c9e44997dc9ebf85728eafcca |
| SHA256 | dab8688b4d139db5ba57783791efbce34e9e46c37a2c506685cbc6d18e68073e |
| SHA512 | edcdd405bf3d57cd524151e9f41670cb7c3bf693e59254c8a034c30a8457b936d507fa434d38e733819a11cf3afc6858d909fbe73bf091f3c96526cf99138728 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\GeoIP.dat
| MD5 | 2fbec46d430f57befcde85b86c68b36e |
| SHA1 | 3ff9829e3242deb69a7fde0832b7d9345b925afc |
| SHA256 | 681ede512fe7ac21e976c754bfc1e1a75a9e02c3d931ce6849cfaa9d4080338a |
| SHA512 | 42036af6f57e446fec194ce71fa634dee9f4c77342f64a867fca8730d76349190960a7e7a5967ea59c250ca1b220d4845b4911dd63ee870f5620d9eb513b91d6 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\-1.ico
| MD5 | 410e4dba1b3e1acd689425d024f3fd56 |
| SHA1 | d38fcae133db0cff918dc455acd8ffa437989659 |
| SHA256 | e10518132ded7ee51739953121f6efe77412aa85bd744ea7b256a5a6da751e44 |
| SHA512 | cac41002ef9ffe4592a0949ebb3a21b3837645838e623d3a188f7e70b6c82b2253c586a6a9395007849da0ef94d6dc47bcfce9cde554e8b6becdaf21082cf014 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\GeoIPCity.dat
| MD5 | fab3cc04a19ffdf90d775e27967a7c25 |
| SHA1 | 723c1635338bec7c1c876769618789268b8faad2 |
| SHA256 | bf41a0a700e3b35415609d090b15c5355e5cf4ca703ab119626b2d450997c608 |
| SHA512 | fe013386ff799cda195222341ee601d7b8b3c5c8abacf3c80e3fa03af52ac848f8a79a7dd87d8831d5a366243343f1025f704f49d858da4b02235968f834a9e6 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AD.ico
| MD5 | 2cce7e02f2decbdcf648cc249eeabbfc |
| SHA1 | 4a9cc2ab3162a949d5f559ac2828813da7aaa6d2 |
| SHA256 | ffd5e4016c4bc247f49ded9d4ac463e7bd9d7f92c9889528f5f3a865dc8234e2 |
| SHA512 | be3d96046ec50bfd8e4399d1268856d0cc1f541635896ad128d660660294cfd98f79998dfa46849a2e6e5aa3e637626a94a062ab694444b7210f69b3a55d1686 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AM.ico
| MD5 | 16782d3d013fbdd1277424363dd8a0ad |
| SHA1 | c26e1fd52de7ceb24af6f01fb4486d39e1932bfe |
| SHA256 | faf3d661a09912ff0c1f6cc92dd8775c3d2be31e9a72fe0962c144d679021d86 |
| SHA512 | 44bda0a5d59f1ead6939a6af13b81ab23b28be44a61e7e736d5e21cbfee813a3a44c5832b16036717f0e18a418dc449b5c3aa1e0f05c4830cb3b64698ce0901a |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AU.ico
| MD5 | ae8189b2c04d783a2f68f0204f1baeab |
| SHA1 | e5709598ed08427a1dd83e1d994330bba1b1b091 |
| SHA256 | 047f9bd82ca7e2685c1dca4c065209977b5e8c32f78ee821bcc7aba12decb044 |
| SHA512 | ef1dd8330cf3cfa9840a5902e13c669e6de911ca9f383067506e2c106f05021aa79df60e2a867259bbd1dd056b9367d5814e9bcbafb242d718fa7fe0fe664248 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AT.ico
| MD5 | 8effa2f5bbcecf6415b04f9408c0a65d |
| SHA1 | 3f3249fe921c1d4767b76b0c3a720cba0262b565 |
| SHA256 | 236c59500b9bd83212375ca7514c0d62dc088203ed269e9cd55ca6349adbc8f0 |
| SHA512 | 3f8a1f0683207ed616819a0e42b18e5b02eab0300fcf6eac1c399f0e5475f45d62e0bdebfe0055d411d529649938623acfd4b3b02fe80fc9da6a0492dcd31822 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AW.ico
| MD5 | 49d969f363a153b7e1cb4dc2cb742238 |
| SHA1 | 2a8fbfd37be58690dc2e0ca2b3ce04c2d15d6eec |
| SHA256 | f0d730a0d8ce85f049a6d8a52733c506a8cf48584b18838f3d677b09d9c09b52 |
| SHA512 | 97f17ab20ee96ae4e71e31c7864c509ef0b714215606413c801b3608770415ab63d6d5be0980af7231e4c2e270407fd273c36e0e47d524e59126b933fafa4eac |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BI.ico
| MD5 | f44e4ff32292c899f1dfc0d40946c945 |
| SHA1 | 3e1c7d81166d64dcd6052a7fbe72dd6a56753682 |
| SHA256 | 84145ca9e4595bdd4838af891ca65f3b88f4ce830f867b6d4f821780152b9c16 |
| SHA512 | aad82aee512ee6768ab98e83aeda9b6954d792e81273594d4c2f46183fc0f7df8c0fc4a8035a43c8989b61690dbebea8e286461b01eeafa3398ecbe61750fccb |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BL.ico
| MD5 | a5b94c9bcb4d88d9db4d0a568f80b079 |
| SHA1 | 80167cfe16e20d0eda73b7b4627ce676911814be |
| SHA256 | 8165efe84da8f10193cadb266016cfb6ca87724614d00c70495a7b9afc172caf |
| SHA512 | 5a186a33e52870dbe2e58c889e913315add63486dd184b216cc3a8b2317169e3ffea8eaaf95084eef6ea04a0f3a791d6012bce6b0118143aa514820050577c54 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BM.ico
| MD5 | d3be823145f7a4b0424beecfff5c9e75 |
| SHA1 | 0d279742a4c5468d58f2d141b5e3922699b165b7 |
| SHA256 | 7f33f4d7cdbe5ac4745917badc34bb93d38a8e5abff6bcdc0c76d3171baf275a |
| SHA512 | 6f84de202333e036d1aa772a82448e3e0adb2b453d3f93eab5ed745b4399b74e07abd3a533862a68b57dcd1982941698545e239a6510e0f59a51a442adbd7009 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BT.ico
| MD5 | 6354a3e9500fd25c6b16d06ee185b4df |
| SHA1 | cfc3cdf3c1dffc5b8e00751cd25ec2e25d4ebbbe |
| SHA256 | ea70f8f17623daf8128eeee0fd9b91d942d928e5b20da5e1bbc7a5d7a4be5e1f |
| SHA512 | 941b4b4b61f6475dd10df924f6580fc0b351d6bcf3dc75e8a9ed6ad60d57931379483457bf5d3c998e8fcae23ad110160fd73cb1e876119a702c0aceefe3b486 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BS.ico
| MD5 | 8e52a4c31bcf00be00030a8e22e0642c |
| SHA1 | a6743ce24e9ccc60064ea3629d54593cda7309b3 |
| SHA256 | 2f2cf7125492eb037d8c5bfa15c1584ad8b55047f46e5052b142674ce10e95c4 |
| SHA512 | c5fe2072d1c029f359f79e07835e528f5527ccffef1d85483760eea8556b842449dd5babdad3b6f3ced1fe5a6104bdb4d9a688630bd9e26c8e533bdacf6096dc |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BR.ico
| MD5 | b44d5f3b7562b900379302a2f8abe2e7 |
| SHA1 | 93f2167eeb28510497a4cf6e731aadc1deb783cb |
| SHA256 | 29be53093407af0aa165535b196cd3233e19903e7d07c7487c3590feaf3806dd |
| SHA512 | 6654a62d640d0b20be490d05a871abe2cae150e3ebd9119c656a8e62deb8a820a417c06fad5fcfbbf5d942c73c9042a281affbd9c28240d85d17ffd1af709ef8 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BO.ico
| MD5 | ac44c7d4d6d1725f969c9aea026bbff1 |
| SHA1 | 7796cd8f72ca40280d819cf4512a534eacf35b68 |
| SHA256 | a74d0a96d71485df49614b77a3a232af0c0984443cf2a3efd30d2a9b367271f6 |
| SHA512 | 1a68ed03fd0bb79460fdb2c6a0c3677db9055f17a14da79eb3388fa3d4a61d17984ea3d0b7d69c9bc5b6a39be955fba62962993122d8df860355125b2e759242 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BN.ico
| MD5 | 4af382e98b18f91caac79ae5240ccc40 |
| SHA1 | 3158bae6579aa85151b67ab08687b64467c19e4b |
| SHA256 | 9cb1449764b3abaae85b2edb0e39afb9776e4c662591f3b241b741a502bb777b |
| SHA512 | 0a6daa2b22ee49819d0cda58cfe74343638c62041ef342b08918edd4e1e9e4e90ce2e72a09773b2d9a8859310d237cb8f765fa9658cdfa4adaf1b9e40bb5880a |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BJ.ico
| MD5 | 994401f509db6b74c3ba205814ff1f02 |
| SHA1 | 3334f65250c7ba7cbee20065bf4d52becdbd392d |
| SHA256 | 569c37c33bf5fe84cf1766c26c531be1398e80585551cd065dfb8dd62a57b608 |
| SHA512 | cbdf647eebcbbab5df5b8b68ffbb900534f2d41ec2f4d74e53e53eabbd2219caf83dce0cdbb53cd9c126ce1f88aa667439bce5a5a6ae5e6eb07acc8c8740d1d2 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BH.ico
| MD5 | 75c68788c23a5adf9efe2c1b70526710 |
| SHA1 | 3750a765118359dd026580d071da6bd3ecd677f3 |
| SHA256 | 2525fc71eb284013f3add2f13578363e8030ed41fec3a7fd599a96b2a8ba0d70 |
| SHA512 | c2a8ee014d1c9ed3ff09d6781c5062fd9aa2dd233c911358eefc2f27d24cee05883086420b2ecab27138a5f6d0143e045ea2b80a221b30b28eb02ecfe3b6c0d3 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BG.ico
| MD5 | 8237c4778058a9bab26f406b8f06dca2 |
| SHA1 | 4bc2b85679ea7e634af68b4e31135d3205ae01c6 |
| SHA256 | 426c8b630bdc5916c5a687450e90a265d18a1042111c7f26a5a7d85d143044ad |
| SHA512 | b64ec153ba921e2f91146ec1461a75b59fb8e71ddb27dc306144a9cc1aa271e6a61096210f4a3a8e56b45ced2f16343cf61a8bc594b52ccb1d9a0d5b312456ed |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BF.ico
| MD5 | afe862286a0c17305ca72a54bacc21ca |
| SHA1 | e220c5912d11960c8e9ee38f44dca1361b729dd3 |
| SHA256 | 5f865103ca695247ab7ea7e02a1942ef01cd65120973e17fa3fcc3e59f9f7eb9 |
| SHA512 | 33905016ee79a2213a5dd03d553e0245058422d45861f4587f4b3aa2e9562686c209fd1e76575d7614a52388f3308907bbdf867223e15a7fe62d3650b130ce68 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BE.ico
| MD5 | f7ed63c5a74feb0ee727cab8d64e2ba2 |
| SHA1 | d06d03cc1f832a30c3b5ae51f164291498ff4df4 |
| SHA256 | bd0eefab4e51b0beae22d4557f8c43e2908c39b23158900d9c3d38d4a3c27b2d |
| SHA512 | 01bb6f850b6b213e365b55861f6a92442c15931db6989f6be03a009a97151abf066eb1298fbd6d130a7ff47970097ecda5855acd2f15fb750f1e5f6916b06e48 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BD.ico
| MD5 | 7bb2410b8a58504b0645e9e869cb903e |
| SHA1 | a1d49a900e2367817575d581c34a3f4b5282db25 |
| SHA256 | f8d767b5e74cde08d614d64bc51f4d9db90dc056dba1c38ad8b21aa6c598a286 |
| SHA512 | a629b6e3a5fc4cc0499e18139260a7c67c629d76c8264ffd3d99c62154354b50bcc5d73b0475891cf38b90809de996648c211a9c2df0aa4e885e536fe4d3f825 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BB.ico
| MD5 | a272b143736710d954a021e7b5b1fe41 |
| SHA1 | abf3a358da02a0d9786a022a1367d9bf805ae060 |
| SHA256 | f679b5b2dfe2c980b55b713a025936c10260db10254391c5b66dcec51dd97705 |
| SHA512 | 9290ed552de75f080719d3e6f4954234b48cb1bf87952bf62d1799d64c0d0a2419fe6776d5a84f691f877a6e7ccb176824e7dd00f5ceec7da32458faf1ef6485 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\BA.ico
| MD5 | a603875f8aecceb0d62c9c346f250e62 |
| SHA1 | 44b58245d17d8d205e6bc2015965b3ac9374245e |
| SHA256 | b586dd987bd326d24ad3edddd1f649d2fc49eaf96028e62e6e14208591a31a9b |
| SHA512 | 62c218f9e7e30c056c02b0e9e35b39fa9b66faced7fa8c3a14e9636450d271da04aa5f04a627452be03d0df062b38db0bbeb4fcdedb0d7d820d0bb186cb38953 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AZ.ico
| MD5 | 3abcf274a070469b7fd5cc1f60408c9d |
| SHA1 | a2fbdbc0028f398a90b351fe5e3a2e4b31153b07 |
| SHA256 | d3cc5eeabeae7f54a8c5600b5c2354b355492634031e32e8ba981806b0494b61 |
| SHA512 | 14be128eaa0b49b7ad07ad2230732e923a30c204faae1c3afac766088836845fc385a99ef50938f6261456e0e45afcd17c0661345ab72cca8b66bd710eb3035f |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AX.ico
| MD5 | 19169001a889e72fef769900ca7a8b27 |
| SHA1 | e17d9c371cc34d19f05c46d81e06f7ae2159dc7f |
| SHA256 | 5ac8c61a8ad2d7ecc3e76927fd6d52b4f279c4d3a92dd32715395581c4615423 |
| SHA512 | 4c8247ab0f37cafa90ae34aa865af45b6b388fdfa8ab96935d2ae2064c620240dbb8f93c9958844a34fbd249422a9b5751639179697bab44aabda8afc18b0454 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AS.ico
| MD5 | caba1e66c954bc8d784efe2a3c02d808 |
| SHA1 | ef1d5ba4735c99b55648503513d9ae7393a3a6d6 |
| SHA256 | 4946c58e14318696ea03cf9bcb5d8a7334273c2f9e30173a3c7ae0bb7ee70bc4 |
| SHA512 | 430806d048e383411e36a8e3777a27b7efc1819cca50c7d7eeba662d32351a366d3cc0b892f819b6a96db8281c5e249d3faef13e8a4ec3bef75e67b9567bd466 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AR.ico
| MD5 | bb4f489b2ae1f6601513296357fb478b |
| SHA1 | b8337772e2e17d48412f44373ea8a821b85e9c54 |
| SHA256 | af2f591584f6c59da15fd42e5175dc136844442e1c755fac047b0efae3956c50 |
| SHA512 | 547e0753a1ac4058ec609ddd2d6ce54b50cc47177ee319f5bcc82eca9e231d01d74b7c2d02de90557c08224bed962c74f8c4079a1292153cbff32db234ddf6a6 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AQ.ico
| MD5 | be6fa7ab4980735841141d4d3f642a4a |
| SHA1 | c6d03cda7f73a959a3d20d0e3897595fbe2915e9 |
| SHA256 | 3439ebcdd8e7a614f157f58d7f77d190aac7fe514129a01024a8b68b7008fbb2 |
| SHA512 | fbc116df306de7a04f43cb2becfecbbaf103d6b252336e0bd37f006506140ceb14f114cdf62e203bc12f78c25906066385eb6caa67f694d8526b341bcf3462f2 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AO.ico
| MD5 | a5c78266329a1eb0f3e52bc0343783b5 |
| SHA1 | e0b254e2176f0eab8d2b76213a64c24ba1788675 |
| SHA256 | 550a1b6e2b97febd865cd130b0c0d484cf2fd02b8066ddf6d7290b9cffb35059 |
| SHA512 | 61a7bf67f9019e5f4c653246e1844703619d6421c3625c963862ee9b0b3975b26ce2f785c9b3cc79e77181c098f0e3d60c9f0e21203928117c6cd45f104af36f |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AN.ico
| MD5 | ed05e0515da2b4c11d839493abf8d44b |
| SHA1 | 8862a2bd75632d916fdd049b31f2155ac7894524 |
| SHA256 | 8f641c948721c9e7e92f28224b8b1beeb27382e5bac8a4014a57537dd7543a8d |
| SHA512 | 31613012f4ea1da8d1318f69e6e9a4be068e9e490f01ef0e1f880b33f50d715d92d7498ca99223ce81d6656ccc4293a7fbd272939e99dbc21d62176a6c6d9553 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AL.ico
| MD5 | 5dbcdfb9a2f9120ba42006c997e22b42 |
| SHA1 | 01fe537ccabec19b252e07ed6ab557a46a70e6df |
| SHA256 | 8f726d2132b2b7764936aaffb52ef7b0271abf857949588c36b32fb3c769bcc4 |
| SHA512 | 519b0757a1bba205915aea9f8bb715072420fae126a4917f146c9ea7567fc231d74f93ded8dead86dcffb0fc293de1a4c85a161dd894b490e57806df67cf01da |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AI.ico
| MD5 | 2d5ee470e51e769e649109d2721937d3 |
| SHA1 | 89bb18a904dc2857e52cff3a384df50858d5e17c |
| SHA256 | 08afe88e8a0475e320c6da70ff530ada3a6fb426051a6337a769c14dc37ae316 |
| SHA512 | d6801a6b238a9779b0b8829f79412c227ed8480ec060e3d1992c9b1024c94a8f1f6ed32097c8a93a6f2600ad68b2ac537fba5f0982a41fef01a832994cc0cc20 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AG.ico
| MD5 | 93f8d14b56bf5f257f87ea438c7a3601 |
| SHA1 | 31b71ace333e016408af2f18290463389206d1c0 |
| SHA256 | 8e36c85a8ba6b92ea906d4dcda412b492449e668fac3b05f5fc512118fa71e5f |
| SHA512 | a70adeb933e65ba11b28d11fad9a2eae29a623013f9bd8383afa5c794f214a6820f797f03f1714759bd38356b160b9c1e159dfcecbfa7e95f4ce2b24bfb24cf5 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AF.ico
| MD5 | e18c650283441dfbdc3aa46a414f326c |
| SHA1 | eda65607858d6b93db9ca4a9f20cac382cb685db |
| SHA256 | ecf99e08bf15aca4325c4790ee20ccc674b6f4fc6dbbef0885f36bf8e6e8aa68 |
| SHA512 | f10cd2a31390bbb06546052214a817153f35ed9b5c5403995267e1e9b4987630c08ddf7db414146211b8cfb4769949cd660060bd2a5c8a51bf5bc381372a6673 |
C:\Users\Admin\Desktop\CraxsRat 3.9.2 By @DarKnetboys\res\Lib\platformBinary\platformBinary32\res\GeoIP\Flags\AE.ico
| MD5 | 5c22046c8b4f37adbd0f41a811238d5e |
| SHA1 | e3c49202f86ff0718f169ce4cb82570457891bd3 |
| SHA256 | 0759c987d55b3e2bc78ea1761d451b0b40928865c5b5652ef7b304426bc1dab9 |
| SHA512 | 655c129c7456ce083a9eec235e04b871a16c4226f7cb1aa2ac4b119770b24ac61036950b0a77257af96352318a991037a1b9b5e2925ca84272995dd8135abca8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 12:57
Reported
2024-05-25 15:37
Platform
win7-20240508-en
Max time kernel
143s
Max time network
129s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2424 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2424 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2652 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2652 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2652 wrote to memory of 2516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2516 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2516 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2516 wrote to memory of 2700 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"
Network
Files
memory/2700-30-0x000007FEFB1A0000-0x000007FEFB1D4000-memory.dmp
memory/2700-29-0x000000013FB60000-0x000000013FC58000-memory.dmp
memory/2700-32-0x000007FEFB180000-0x000007FEFB198000-memory.dmp
memory/2700-33-0x000007FEFB160000-0x000007FEFB177000-memory.dmp
memory/2700-31-0x000007FEF61C0000-0x000007FEF6476000-memory.dmp
memory/2700-35-0x000007FEF7D80000-0x000007FEF7D97000-memory.dmp
memory/2700-34-0x000007FEFB140000-0x000007FEFB151000-memory.dmp
memory/2700-38-0x000007FEF6F70000-0x000007FEF6F81000-memory.dmp
memory/2700-37-0x000007FEF7AF0000-0x000007FEF7B0D000-memory.dmp
memory/2700-36-0x000007FEF7B10000-0x000007FEF7B21000-memory.dmp
memory/2700-39-0x000007FEF5C50000-0x000007FEF5E5B000-memory.dmp
memory/2700-42-0x000007FEF6980000-0x000007FEF69A1000-memory.dmp
memory/2700-41-0x000007FEF6AF0000-0x000007FEF6B31000-memory.dmp
memory/2700-45-0x000007FEF5C10000-0x000007FEF5C21000-memory.dmp
memory/2700-46-0x000007FEF5BF0000-0x000007FEF5C01000-memory.dmp
memory/2700-44-0x000007FEF5C30000-0x000007FEF5C41000-memory.dmp
memory/2700-43-0x000007FEF6AD0000-0x000007FEF6AE8000-memory.dmp
memory/2700-47-0x000007FEF5BD0000-0x000007FEF5BEB000-memory.dmp
memory/2700-48-0x000007FEF5BB0000-0x000007FEF5BC1000-memory.dmp
memory/2700-49-0x000007FEF5B90000-0x000007FEF5BA8000-memory.dmp
memory/2700-51-0x000007FEF5AF0000-0x000007FEF5B57000-memory.dmp
memory/2700-50-0x000007FEF5B60000-0x000007FEF5B90000-memory.dmp
memory/2700-52-0x000007FEF5A70000-0x000007FEF5AEC000-memory.dmp
memory/2700-53-0x000007FEF5A50000-0x000007FEF5A61000-memory.dmp
memory/2700-54-0x000007FEF59F0000-0x000007FEF5A47000-memory.dmp
memory/2700-56-0x000007FEF5990000-0x000007FEF59B4000-memory.dmp
memory/2700-55-0x000007FEF59C0000-0x000007FEF59E8000-memory.dmp
memory/2700-59-0x000007FEF5920000-0x000007FEF5931000-memory.dmp
memory/2700-40-0x000007FEF4590000-0x000007FEF5640000-memory.dmp
memory/2700-62-0x000007FEF3B20000-0x000007FEF3C1F000-memory.dmp
memory/2700-63-0x000007FEF1EC0000-0x000007FEF1ED1000-memory.dmp
memory/2700-61-0x000007FEF3C20000-0x000007FEF3C31000-memory.dmp
memory/2700-60-0x000007FEF5900000-0x000007FEF5912000-memory.dmp
memory/2700-58-0x000007FEF5940000-0x000007FEF5963000-memory.dmp
memory/2700-57-0x000007FEF5970000-0x000007FEF5988000-memory.dmp
memory/2700-64-0x000007FEF1E60000-0x000007FEF1EB7000-memory.dmp
memory/2700-65-0x000007FEF1A60000-0x000007FEF1A8F000-memory.dmp
memory/2700-66-0x000007FEF1A40000-0x000007FEF1A53000-memory.dmp
memory/2700-67-0x000007FEF1A20000-0x000007FEF1A31000-memory.dmp
memory/2700-68-0x000007FEF01C0000-0x000007FEF0285000-memory.dmp
memory/2700-69-0x000007FEF1A00000-0x000007FEF1A13000-memory.dmp
memory/2700-70-0x000007FEF19E0000-0x000007FEF19F1000-memory.dmp
memory/2700-71-0x000007FEF01A0000-0x000007FEF01B4000-memory.dmp
memory/2700-73-0x000007FEF0110000-0x000007FEF0122000-memory.dmp
memory/2700-72-0x000007FEEF630000-0x000007FEEF836000-memory.dmp
memory/2700-74-0x000007FEF0070000-0x000007FEF00B2000-memory.dmp
memory/2700-75-0x000007FEEFF00000-0x000007FEEFF4D000-memory.dmp