File name:

CrazyCattle3D.zip

Full analysis: https://app.any.run/tasks/c4954ea1-7af4-451a-8e2a-9de21fa35bb2
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 21, 2025, 13:19:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
blankgrabber
evasion
stealer
pyinstaller
screenshot
discord
susp-powershell
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

348C008BECEF8FE3A7CFF1D358EB3788

SHA1:

9590AF293131BB60693720DDD5BB23A2D1F21B0C

SHA256:

C3406AD3BEDAC28B58C2203BE788A5B64143EABEBCB7A96CF385EC955DF8AFB0

SSDEEP:

393216:EdnazoOoXsHPPkkNIAFius2LGlRJKfRPKzwLZ72Kwx+fTHmWMWL+QbmWc:EdaTlPf1s2LGlRoR8wLZql+fLmdaTc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7660)

    • Executing a file with an untrusted certificate

      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)

    • BlankGrabber has been detected

      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7792)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7972)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Changes Windows Defender settings

      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7980)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7980)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 3896)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 3896)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3896)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 3896)

    • Changes settings for real-time protection

      • powershell.exe (PID: 3896)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 3896)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 3896)

    • Steals credentials from Web Browsers

      • Crazy Cattle Updater.exe (PID: 7936)

    • Actions looks like stealing of personal data

      • Crazy Cattle Updater.exe (PID: 7936)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3888)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7916)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3888)

    • BLANKGRABBER has been detected (SURICATA)

      • Crazy Cattle Updater.exe (PID: 7936)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7936)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Process drops python dynamic module

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Process drops legitimate windows executable

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • WinRAR.exe (PID: 7660)

    • Application launched itself

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Executable content was dropped or overwritten

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • csc.exe (PID: 7772)

    • Reads security settings of Internet Explorer

      • Crazy Cattle Updater.exe (PID: 7812)
      • WinRAR.exe (PID: 7660)

    • The process drops C-runtime libraries

      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7792)

    • Found strings related to reading or modifying Windows Defender settings

      • Crazy Cattle Updater.exe (PID: 7936)

    • Get information on the list of running processes

      • cmd.exe (PID: 8008)
      • Crazy Cattle Updater.exe (PID: 7936)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7612)
      • cmd.exe (PID: 7768)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7972)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 8156)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 6712)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 8128)
      • cmd.exe (PID: 7144)
      • cmd.exe (PID: 2420)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7980)

    • Checks for external IP

      • Crazy Cattle Updater.exe (PID: 7936)
      • svchost.exe (PID: 2196)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 960)
      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 5640)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7012)
      • WMIC.exe (PID: 1760)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7084)
      • WMIC.exe (PID: 3132)
      • WMIC.exe (PID: 3132)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7980)

    • Starts CMD.EXE for commands execution

      • Crazy Cattle Updater.exe (PID: 7936)
      • WinRAR.exe (PID: 7660)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 208)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6752)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 7324)
      • cmd.exe (PID: 7924)
      • cmd.exe (PID: 2240)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 6632)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7916)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7916)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7772)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3888)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 3888)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6132)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7084)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7328)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7764)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 7660)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7916)

  • INFO

    • The sample compiled with english language support

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • WinRAR.exe (PID: 7660)

    • Checks supported languages

      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7936)
      • Crazy Cattle Updater.exe (PID: 7900)
      • tree.com (PID: 4608)
      • tree.com (PID: 7420)
      • tree.com (PID: 7860)
      • tree.com (PID: 2108)
      • tree.com (PID: 4896)
      • tree.com (PID: 7816)
      • csc.exe (PID: 7772)
      • cvtres.exe (PID: 7612)
      • rar.exe (PID: 7764)
      • MpCmdRun.exe (PID: 7496)

    • Reads the computer name

      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)
      • MpCmdRun.exe (PID: 7496)

    • Manual execution by a user

      • Crazy Cattle Updater.exe (PID: 7792)

    • Reads the machine GUID from the registry

      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7936)
      • csc.exe (PID: 7772)
      • rar.exe (PID: 7764)

    • Create files in a temporary directory

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)
      • Crazy Cattle Updater.exe (PID: 7812)
      • cvtres.exe (PID: 7612)
      • rar.exe (PID: 7764)
      • csc.exe (PID: 7772)
      • MpCmdRun.exe (PID: 7496)

    • Process checks computer location settings

      • Crazy Cattle Updater.exe (PID: 7812)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 3132)
      • WMIC.exe (PID: 7012)
      • WMIC.exe (PID: 7084)
      • WMIC.exe (PID: 6632)
      • WMIC.exe (PID: 6132)
      • WMIC.exe (PID: 3132)
      • WMIC.exe (PID: 6048)
      • WMIC.exe (PID: 1760)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2136)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 8148)

    • Checks the directory tree

      • tree.com (PID: 7420)
      • tree.com (PID: 7860)
      • tree.com (PID: 4896)
      • tree.com (PID: 7816)
      • tree.com (PID: 2108)
      • tree.com (PID: 4608)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 2516)

    • PyInstaller has been detected (YARA)

      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 856)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 5868)

    • Checks proxy server information

      • slui.exe (PID: 684)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7660)

    • Reads the software policy settings

      • slui.exe (PID: 684)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Crazy Cattle Updater.exe (PID: 7936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:20 14:53:56
ZipCRC: 0xfba9007a
ZipCompressedSize: 21526485
ZipUncompressedSize: 26502704
ZipFileName: CrazyCattle3D.pck
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
115
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #BLANKGRABBER crazy cattle updater.exe crazy cattle updater.exe no specs #BLANKGRABBER crazy cattle updater.exe #BLANKGRABBER crazy cattle updater.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs tasklist.exe no specs powershell.exe no specs powershell.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs tasklist.exe no specs tasklist.exe no specs reg.exe no specs systeminfo.exe no specs netsh.exe no specs tree.com no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tiworker.exe no specs csc.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\SysWOW64\cmd.exeCrazy Cattle Updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
616C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
664C:\WINDOWS\system32\cmd.exe /c "powershell Get-Clipboard"C:\Windows\SysWOW64\cmd.exeCrazy Cattle Updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
684C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefaultC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
960C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"C:\Windows\SysWOW64\cmd.exeCrazy Cattle Updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
58 655
Read events
58 640
Write events
15
Delete events
0

Modification events

(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\CrazyCattle3D.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7936) Crazy Cattle Updater.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(616) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31175360
Executable files
38
Suspicious files
31
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\libssl-1_1.dllexecutable
MD5:6E6E0C644E5B56A7C59FF98E655CF108
SHA256:79D3991402EF35FF064D501FCEA4B40CB7172B5D6BBC745012C358036E96D5A9
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_socket.pydexecutable
MD5:B69412464D4BC4721344F882C9889457
SHA256:94258B7AA256E61FB7AB7C0C89ABCB2C773E6197AF54551CBED49DDF03D22DAF
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_decimal.pydexecutable
MD5:C429837336CA2E037ECBC19A1ABB1C76
SHA256:0DECE516FCB1736CB0BDACD730EF2B60A76B448373215D52FD67C48F298C9BB0
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_ctypes.pydexecutable
MD5:C3C1570BE91FE53CA1D865190E5BC808
SHA256:6FD8B3DDE4F780191F4008A7A8DD9118C8CA2FDBCD59915D80919DF2E2AFF3A8
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\libcrypto-1_1.dllexecutable
MD5:4AF0E1F36DBC17472EBA85B4DFF96B8C
SHA256:037F0E27B6FED98DA22F166C41CD6D9176D6DF14A14BA47B9E80A031B2AAC748
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_queue.pydexecutable
MD5:8EFF2E6F7EDBE721AC39B8E41A7C8EB0
SHA256:40CE76181667A80C256ECF9F16C856281D1DB6A23B0E5551D7CEF4BB2152F79E
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_hashlib.pydexecutable
MD5:EEF5D6757C0731FE9261CE8E348E3DAB
SHA256:14B9662B141E198DAA4BCAD9550DD0E408A23B18498453EB11928292C817B878
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\libffi-7.dllexecutable
MD5:BCC4DF6DD84DA08E66C29C14DB155E6B
SHA256:AD32EBB92DCB9FE5D7C4E94D556E04960233060BB9A25AADD869B5DF8D799154
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\rarreg.keytext
MD5:4531984CAD7DACF24C086830068C4ABE
SHA256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_bz2.pydexecutable
MD5:716782C48614A90C5834F823A0CC4B14
SHA256:17651DFB643778B4250738BD23F2311C6966BCD07B77040456A8E1DCC26DCACB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
42
DNS requests
17
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7936
Crazy Cattle Updater.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
6392
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7936
Crazy Cattle Updater.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
7936
Crazy Cattle Updater.exe
142.250.184.227:443
gstatic.com
GOOGLE
US
whitelisted
6392
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6392
SIHClient.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6392
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.23.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
blank-4lloj.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.184.227
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7936
Crazy Cattle Updater.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7936
Crazy Cattle Updater.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
7936
Crazy Cattle Updater.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7936
Crazy Cattle Updater.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7936
Crazy Cattle Updater.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CrazyCattle3D.zip