File name:

CrazyCattle3D.zip

Full analysis: https://app.any.run/tasks/c4954ea1-7af4-451a-8e2a-9de21fa35bb2
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: April 21, 2025, 13:19:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
blankgrabber
evasion
stealer
pyinstaller
screenshot
discord
susp-powershell
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

348C008BECEF8FE3A7CFF1D358EB3788

SHA1:

9590AF293131BB60693720DDD5BB23A2D1F21B0C

SHA256:

C3406AD3BEDAC28B58C2203BE788A5B64143EABEBCB7A96CF385EC955DF8AFB0

SSDEEP:

393216:EdnazoOoXsHPPkkNIAFius2LGlRJKfRPKzwLZ72Kwx+fTHmWMWL+QbmWc:EdaTlPf1s2LGlRoR8wLZql+fLmdaTc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Generic archive extractor

      • WinRAR.exe (PID: 7660)

    • BlankGrabber has been detected

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7980)

    • Adds path to the Windows Defender exclusion list

      • Crazy Cattle Updater.exe (PID: 7936)
      • cmd.exe (PID: 7972)

    • Changes settings for real-time protection

      • powershell.exe (PID: 3896)

    • Changes Windows Defender settings

      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7980)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 3896)

    • Changes Controlled Folder Access settings

      • powershell.exe (PID: 3896)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 3896)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 3896)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 3896)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3896)

    • Actions looks like stealing of personal data

      • Crazy Cattle Updater.exe (PID: 7936)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Steals credentials from Web Browsers

      • Crazy Cattle Updater.exe (PID: 7936)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3888)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7916)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3888)

    • BLANKGRABBER has been detected (SURICATA)

      • Crazy Cattle Updater.exe (PID: 7936)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Process drops legitimate windows executable

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • WinRAR.exe (PID: 7660)

    • Process drops python dynamic module

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Executable content was dropped or overwritten

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • csc.exe (PID: 7772)

    • The process drops C-runtime libraries

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Application launched itself

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)

    • Reads security settings of Internet Explorer

      • Crazy Cattle Updater.exe (PID: 7812)
      • WinRAR.exe (PID: 7660)

    • Starts CMD.EXE for commands execution

      • Crazy Cattle Updater.exe (PID: 7936)
      • WinRAR.exe (PID: 7660)

    • Found strings related to reading or modifying Windows Defender settings

      • Crazy Cattle Updater.exe (PID: 7936)

    • Get information on the list of running processes

      • Crazy Cattle Updater.exe (PID: 7936)
      • cmd.exe (PID: 8008)
      • cmd.exe (PID: 7452)
      • cmd.exe (PID: 7768)
      • cmd.exe (PID: 7612)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 7980)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 7916)
      • cmd.exe (PID: 8156)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 2320)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 7972)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 7980)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 8128)
      • cmd.exe (PID: 7144)
      • cmd.exe (PID: 2420)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 7012)
      • WMIC.exe (PID: 1760)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 960)
      • cmd.exe (PID: 7260)
      • cmd.exe (PID: 5640)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 7980)

    • Uses SYSTEMINFO.EXE to read the environment

      • cmd.exe (PID: 208)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 6752)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 7324)
      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 7924)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 7916)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 7084)
      • WMIC.exe (PID: 3132)
      • WMIC.exe (PID: 3132)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7916)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 6632)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 7916)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3888)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7772)

    • Captures screenshot (POWERSHELL)

      • powershell.exe (PID: 3888)

    • The executable file from the user directory is run by the CMD process

      • rar.exe (PID: 7764)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 6132)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 7084)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 7328)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 7660)

  • INFO

    • Manual execution by a user

      • Crazy Cattle Updater.exe (PID: 7792)

    • Checks supported languages

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)
      • tree.com (PID: 7420)
      • tree.com (PID: 4608)
      • tree.com (PID: 2108)
      • tree.com (PID: 7816)
      • tree.com (PID: 4896)
      • tree.com (PID: 7860)
      • csc.exe (PID: 7772)
      • cvtres.exe (PID: 7612)
      • rar.exe (PID: 7764)
      • MpCmdRun.exe (PID: 7496)

    • Reads the computer name

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)
      • MpCmdRun.exe (PID: 7496)

    • The sample compiled with english language support

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7900)
      • WinRAR.exe (PID: 7660)

    • Create files in a temporary directory

      • Crazy Cattle Updater.exe (PID: 7792)
      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)
      • csc.exe (PID: 7772)
      • cvtres.exe (PID: 7612)
      • rar.exe (PID: 7764)
      • MpCmdRun.exe (PID: 7496)

    • Reads the machine GUID from the registry

      • Crazy Cattle Updater.exe (PID: 7812)
      • Crazy Cattle Updater.exe (PID: 7936)
      • csc.exe (PID: 7772)
      • rar.exe (PID: 7764)

    • Process checks computer location settings

      • Crazy Cattle Updater.exe (PID: 7812)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7012)
      • WMIC.exe (PID: 3132)
      • WMIC.exe (PID: 6632)
      • WMIC.exe (PID: 7084)
      • WMIC.exe (PID: 6132)
      • WMIC.exe (PID: 6048)
      • WMIC.exe (PID: 1760)
      • WMIC.exe (PID: 3132)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2136)

    • The Powershell gets current clipboard

      • powershell.exe (PID: 8148)

    • Checks the directory tree

      • tree.com (PID: 4608)
      • tree.com (PID: 7420)
      • tree.com (PID: 7860)
      • tree.com (PID: 7816)
      • tree.com (PID: 2108)
      • tree.com (PID: 4896)

    • PyInstaller has been detected (YARA)

      • Crazy Cattle Updater.exe (PID: 7900)
      • Crazy Cattle Updater.exe (PID: 7936)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 3896)
      • powershell.exe (PID: 2800)
      • powershell.exe (PID: 856)

    • Displays MAC addresses of computer network adapters

      • getmac.exe (PID: 5868)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 3896)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Crazy Cattle Updater.exe (PID: 7936)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7660)

    • Checks proxy server information

      • slui.exe (PID: 684)

    • Reads the software policy settings

      • slui.exe (PID: 684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:04:20 14:53:56
ZipCRC: 0xfba9007a
ZipCompressedSize: 21526485
ZipUncompressedSize: 26502704
ZipFileName: CrazyCattle3D.pck
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
238
Monitored processes
115
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #BLANKGRABBER crazy cattle updater.exe crazy cattle updater.exe no specs #BLANKGRABBER crazy cattle updater.exe #BLANKGRABBER crazy cattle updater.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs tasklist.exe no specs powershell.exe no specs powershell.exe no specs wmic.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tasklist.exe no specs wmic.exe no specs tasklist.exe no specs tasklist.exe no specs reg.exe no specs systeminfo.exe no specs netsh.exe no specs tree.com no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs tree.com no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs tiworker.exe no specs csc.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs getmac.exe no specs cmd.exe no specs conhost.exe no specs rar.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208C:\WINDOWS\system32\cmd.exe /c "systeminfo"C:\Windows\SysWOW64\cmd.exeCrazy Cattle Updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
616C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
664C:\WINDOWS\system32\cmd.exe /c "powershell Get-Clipboard"C:\Windows\SysWOW64\cmd.exeCrazy Cattle Updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
684C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefaultC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
960C:\WINDOWS\system32\cmd.exe /c "wmic path win32_VideoController get name"C:\Windows\SysWOW64\cmd.exeCrazy Cattle Updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
58 655
Read events
58 640
Write events
15
Delete events
0

Modification events

(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\CrazyCattle3D.zip
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7660) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7936) Crazy Cattle Updater.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia\DrawDib
Operation:writeName: 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(616) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31175360
Executable files
38
Suspicious files
31
Text files
40
Unknown types
0

Dropped files

PID
Process
Filename
Type
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\VCRUNTIME140.dllexecutable
MD5:C33386A6E67BE415A24D9C431FFD42AC
SHA256:EB5B47CCEDDB4A45E059C1E1FCD2EFB016CB2BD9FE1FC0FD3F4C3C4CAB04153A
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_ssl.pydexecutable
MD5:599C4F1B93E914DDAA5CDBE131626CB7
SHA256:9C6E69A31613A748E61DC228A246DB42CBBF149BC348CAD323BAAFADD7BB5AE1
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\libcrypto-1_1.dllexecutable
MD5:4AF0E1F36DBC17472EBA85B4DFF96B8C
SHA256:037F0E27B6FED98DA22F166C41CD6D9176D6DF14A14BA47B9E80A031B2AAC748
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\libssl-1_1.dllexecutable
MD5:6E6E0C644E5B56A7C59FF98E655CF108
SHA256:79D3991402EF35FF064D501FCEA4B40CB7172B5D6BBC745012C358036E96D5A9
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\base_library.zipcompressed
MD5:5B15EEE180731EC960C4F65105012080
SHA256:01FE93B886F06462769A8C7E2ADD53AD651E7FA1B5021A8902BBD0DEA937AF1D
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\libffi-7.dllexecutable
MD5:BCC4DF6DD84DA08E66C29C14DB155E6B
SHA256:AD32EBB92DCB9FE5D7C4E94D556E04960233060BB9A25AADD869B5DF8D799154
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_decimal.pydexecutable
MD5:C429837336CA2E037ECBC19A1ABB1C76
SHA256:0DECE516FCB1736CB0BDACD730EF2B60A76B448373215D52FD67C48F298C9BB0
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\blank.aesbinary
MD5:BEE6A70248CA709286EEADA03385C707
SHA256:AD9072104E17A95ABF8AF58687EB1FE5D190171A3E39EE5BFD11FF913B430A4C
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_bz2.pydexecutable
MD5:716782C48614A90C5834F823A0CC4B14
SHA256:17651DFB643778B4250738BD23F2311C6966BCD07B77040456A8E1DCC26DCACB
7792Crazy Cattle Updater.exeC:\Users\admin\AppData\Local\Temp\_MEI77922\_hashlib.pydexecutable
MD5:EEF5D6757C0731FE9261CE8E348E3DAB
SHA256:14B9662B141E198DAA4BCAD9550DD0E408A23B18498453EB11928292C817B878
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
42
DNS requests
17
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7936
Crazy Cattle Updater.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
GET
204
172.217.18.3:443
https://gstatic.com/generate_204
unknown
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
6392
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6392
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7936
Crazy Cattle Updater.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
7936
Crazy Cattle Updater.exe
142.250.184.227:443
gstatic.com
GOOGLE
US
whitelisted
6392
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6392
SIHClient.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6392
SIHClient.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.23.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
blank-4lloj.in
unknown
ip-api.com
  • 208.95.112.1
whitelisted
gstatic.com
  • 142.250.184.227
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7936
Crazy Cattle Updater.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
7936
Crazy Cattle Updater.exe
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
7936
Crazy Cattle Updater.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
7936
Crazy Cattle Updater.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7936
Crazy Cattle Updater.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CrazyCattle3D.zip