File name:

CraftRise.exe

Full analysis: https://app.any.run/tasks/440f8df8-bf7f-470e-9bd1-2612b82375f8
Verdict: Malicious activity
Analysis date: May 24, 2024, 18:52:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

F20BA267BB3A57CEEDE30EA71FA9318A

SHA1:

E45DE1D008D4D9D519B03F68B700886A8CA5F6B4

SHA256:

8FAF0EAC419869DD76D6930F47539B8D3C4D2A5D0C8AFB8D1FF167261B183EBA

SSDEEP:

24576:VxskkRrmrcdHzECs4y2OcMVqJdcrhtfSy:VxsTBmCs2OcMVg6r5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CraftRise.exe (PID: 3972)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • CraftRise.exe (PID: 3972)

    • Process drops legitimate windows executable

      • CraftRise.exe (PID: 3972)

    • Reads the Internet Settings

      • CraftRise.exe (PID: 3972)

    • Executable content was dropped or overwritten

      • CraftRise.exe (PID: 3972)

    • Reads settings of System Certificates

      • CraftRise.exe (PID: 3972)

  • INFO

    • Checks supported languages

      • java.exe (PID: 2108)
      • CraftRise.exe (PID: 3972)
      • wmpnscfg.exe (PID: 1024)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1024)
      • CraftRise.exe (PID: 3972)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1024)
      • firefox.exe (PID: 372)

    • Create files in a temporary directory

      • java.exe (PID: 2108)

    • Application launched itself

      • firefox.exe (PID: 372)
      • firefox.exe (PID: 336)

    • Disables trace logs

      • CraftRise.exe (PID: 3972)

    • Reads Environment values

      • CraftRise.exe (PID: 3972)

    • Reads the machine GUID from the registry

      • CraftRise.exe (PID: 3972)

    • Reads the software policy settings

      • CraftRise.exe (PID: 3972)

    • Creates files or folders in the user directory

      • CraftRise.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2089:08:15 19:43:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 901632
InitializedDataSize: 25600
UninitializedDataSize: -
EntryPoint: 0xde0fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: CraftRise Launcher
CompanyName: Ridev Yazilim Sistemleri Limited Şirketi
FileDescription: CraftRise Launcher
FileVersion: 1.0.0.1
InternalName: CraftRise Launcher.exe
LegalCopyright: CraftRise - Copyright © 2020
LegalTrademarks: CraftRise
OriginalFileName: CraftRise Launcher.exe
ProductName: CraftRise Launcher
ProductVersion: 1.0.0.1
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start craftrise.exe wmpnscfg.exe no specs java.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
372"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1024"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1296"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.5.1309891769\450367821" -childID 4 -isForBrowser -prefsHandle 3732 -prefMapHandle 3736 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe38caab-eec3-4ea5-a97d-f20190e853d4} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3660 17c4f560 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1588"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.1.588540220\302884879" -parentBuildID 20230710165010 -prefsHandle 1428 -prefMapHandle 1424 -prefsLen 28600 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27790210-1f4c-4d66-8a90-3cb15bb67e56} 336 "\\.\pipe\gecko-crash-server-pipe.336" 1440 d9198a0 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1840"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.0.154588297\1283888023" -parentBuildID 20230710165010 -prefsHandle 1112 -prefMapHandle 1104 -prefsLen 28523 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e417d4b8-c83f-419b-9bb1-5ea1c693cf3d} 336 "\\.\pipe\gecko-crash-server-pipe.336" 1184 d9a9d70 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2108"C:\Users\admin\AppData\Roaming\.craftrise\\java\jdk-x32\bin\java.exe" -versionC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\java.exeCraftRise.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.51.16
Modules
Images
c:\users\admin\appdata\roaming\.craftrise\java\jdk-x32\bin\java.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2252"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.2.383960168\1193573659" -childID 1 -isForBrowser -prefsHandle 1848 -prefMapHandle 1900 -prefsLen 28777 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bff9514-e221-4ded-ab19-a1e308179055} 336 "\\.\pipe\gecko-crash-server-pipe.336" 1636 117f5560 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2432"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.4.1890378251\1548479735" -childID 3 -isForBrowser -prefsHandle 3748 -prefMapHandle 3720 -prefsLen 29209 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ef262b8-8b42-4ca8-b552-cdaacf248d9e} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3700 153c4c90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2472"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.3.1936018725\1659118585" -childID 2 -isForBrowser -prefsHandle 2848 -prefMapHandle 2844 -prefsLen 34225 -prefMapSize 244195 -jsInitHandle 900 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f6c33e2-ad0e-4844-9fd1-210bbf2b6d53} 336 "\\.\pipe\gecko-crash-server-pipe.336" 2860 160de110 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
12 476
Read events
12 389
Write events
70
Delete events
17

Modification events

(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3972) CraftRise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CraftRise_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
221
Suspicious files
65
Text files
126
Unknown types
8

Dropped files

PID
Process
Filename
Type
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java.lzma
MD5:
SHA256:
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java.zip
MD5:
SHA256:
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\DotNetZip-gkav2vi2.tmpexecutable
MD5:54A4A73916590EEB084E56304E4C5D9E
SHA256:4D5F4277E88D19EBE53856CFBE97AA671E7D0E9BC8D467CE024374CEFD8B294E
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\client\DotNetZip-xkbpwur3.tmpexecutable
MD5:3EA890EB92277D00C33B1B95BF0AE363
SHA256:DCD4B8BA604FFA3C26B64A957B33F37939286CDB5D331CFDEDE997E38A6E916F
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\DotNetZip-trgxljls.tmpexecutable
MD5:B82D02007A0E92350866CDB931848C73
SHA256:EEAD440B39A7A700FB66C67DB9250C27BE4D097732A170165EA143B327F72A57
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\bci.dllexecutable
MD5:B82D02007A0E92350866CDB931848C73
SHA256:EEAD440B39A7A700FB66C67DB9250C27BE4D097732A170165EA143B327F72A57
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\DotNetZip-urbyrq25.tmpexecutable
MD5:DEA6AA7A793A8020A6A714DB90A144E4
SHA256:71205ACA5B5A8528FF9C5FA674280FE09AF5B1C61BCE00B8C3883E983B54AF2F
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\deploy.dllexecutable
MD5:75CEB49EC8F3F9BA29C7CF26ED6F3D3B
SHA256:FF4CABD6FB2E4BBD04305BF42F0122D72648FA0309CE12940175CAD7C3FDBE16
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\dcpr.dllexecutable
MD5:DEA6AA7A793A8020A6A714DB90A144E4
SHA256:71205ACA5B5A8528FF9C5FA674280FE09AF5B1C61BCE00B8C3883E983B54AF2F
3972CraftRise.exeC:\Users\admin\AppData\Roaming\.craftrise\java\jdk-x32\bin\DotNetZip-z41q14p4.tmpexecutable
MD5:88D4A03281CE0217CB73DA02C0F5BB8D
SHA256:63C279F47F8910E7F0F2A5AA9C6CE4DE1ED882D88856828E09298FEC7AB15179
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
25
DNS requests
63
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
336
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
unknown
336
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
unknown
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
336
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
336
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
336
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
336
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
336
firefox.exe
POST
200
2.16.241.8:80
http://r3.o.lencr.org/
unknown
unknown
336
firefox.exe
POST
200
216.58.212.163:80
http://o.pki.goog/wr2
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3972
CraftRise.exe
104.26.15.119:443
client.craftrise.network
CLOUDFLARENET
US
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
336
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
336
firefox.exe
34.117.188.166:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
336
firefox.exe
2.16.241.8:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
336
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
unknown
336
firefox.exe
172.217.16.202:443
safebrowsing.googleapis.com
whitelisted
336
firefox.exe
216.58.212.163:80
o.pki.goog
GOOGLE
US
whitelisted
336
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
client.craftrise.network
  • 104.26.15.119
  • 104.26.14.119
  • 172.67.68.21
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.215.14
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
spocs.getpocket.com
  • 34.117.188.166
shared
prod.ads.prod.webservices.mozgcp.net
  • 34.117.188.166
unknown
r3.o.lencr.org
  • 2.16.241.8
  • 2.16.241.15
shared
a1887.dscq.akamai.net
  • 2.16.241.8
  • 2.16.241.15
  • 2a02:26f0:480:e::210:f108
  • 2a02:26f0:480:e::210:f10f
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CraftRise.exe