hxxps://gofile[.]io/d/CSFn4d

Analysis

max time kernel
1724s
max time network
1687s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/CSFn4d

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/5440-201-0x0000029833FB0000-0x000002983501C000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

Processes:

CraxsRat.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk	CraxsRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\CraxsRat 7.4 Cracked By @Hidden_Blaze\\CraxsRat 7.4 Cracked By @Hidden_Blaze\\res\\Icons\\apk.ico"	CraxsRat.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon	CraxsRat.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4940	msedge.exe
4940	msedge.exe
4832	msedge.exe
4832	msedge.exe
1536	identity_helper.exe
1536	identity_helper.exe
5404	msedge.exe
5404	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe
2812	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CraxsRat.exe

description pid process

Token: SeDebugPrivilege 5440 CraxsRat.exe

description	pid	process
Token: SeDebugPrivilege	5440	CraxsRat.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

msedge.exeCraxsRat.exe

pid	process
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
5440	CraxsRat.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

msedge.exeCraxsRat.exe

pid	process
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
5440	CraxsRat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4832 wrote to memory of 2452	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 2452	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 3488	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 4940	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 4940	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe
PID 4832 wrote to memory of 1136	4832	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/CSFn4d
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f56546f8,0x7ff8f5654708,0x7ff8f5654718
2⤵
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2316 /prefetch:2
2⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:1
2⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
2⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3212 /prefetch:8
2⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
2⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
2⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
2⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4751670325786286286,10592511000552425777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
2⤵
PID:5784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5252

C:\Users\Admin\Downloads\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe
"C:\Users\Admin\Downloads\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat 7.4 Cracked By @Hidden_Blaze\CraxsRat.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Hidden_Blaze
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8f56546f8,0x7ff8f5654708,0x7ff8f5654718
3⤵
PID:3516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Cracked4You
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8f56546f8,0x7ff8f5654708,0x7ff8f5654718
3⤵
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
97aee13aefc3eb2b73a7b0d1ff0256c3

SHA1
12945065a27b92821ec20d71a91d0cacaf80ed9c

SHA256
2dd136a0932fa1c05e26efddec7c105de6d07d75ed193a1af6a69917589da6bf

SHA512
d6190892d014f2cedbe7e835b5fd5a9c0a0c72eb4961b3adba1a444aae80f953029082f5717e139484e2aa746d8453564cb490a584005481c2d1d4adbe75c356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
01fec30594fb551f53de923bee8dfd67

SHA1
ab8cb4c43fd02a90e63a1ba53efeee041f239964

SHA256
6fa8d592d57cf7596c92ea1b24856700710d249ff9c8980c2a02179d3d94064a

SHA512
a4256a3d490e0ed6724fc2135e6e9efb4dfd6ff4cc2fe7ef46cf8fb32faab080825f8616e2d72999843b1883c3a3b129244a05cb9eb24b9e6be85771304d16f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
739B

MD5
1b1818e3ba65d586c8f46890cebe5d9e

SHA1
36e03b19af10d4178f70f2bf1ff2524aac4d369c

SHA256
9d60c6a3c9bd6ed6b999bb33fd6e6d5e2f249710e322a327b2a2bbf1c5e99cc8

SHA512
08b215df6f65e2d9d0485d51d080144a72e91048ed80f3c790205610ba2207c5f950a891c316d7d069483b8ce318cdd8cbd5d884b0d191a4b4b9b8f1bfc2e65a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
317B

MD5
afc6cddd7e64d81e52b729d09f227107

SHA1
ad0d3740f4b66de83db8862911c07dc91928d2f6

SHA256
b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0

SHA512
844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
01c2c3177e175d5cc58338a71b45eed4

SHA1
0fec4de991e0ce20db05bd7c743538c4f48b2a23

SHA256
3df3b164547c9aaabc61b0761803954abf0eae4478bde7851094053f61dfa120

SHA512
3161ffc6e4242f73e14e6730b5ec22732cdcdbf16f001efc302adcc2b1582faffc156a85c1b6386668c35dae4c758e50fee4efdde9b53962bbe2d8649ddd8e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
12a142614b021e38b1eae76344254e94

SHA1
520d08f7f9ea2770530402ae3f6f273907a2bd42

SHA256
289fa2a6742160d0d201da2c3d244fe3a844a5b5629fc21b47e3c010fdc24d92

SHA512
58e28ab8744f01504781911583df97c68ba55217a56b6fa1bc599684f41b8a624e3c672b6176047063d10b4be014f6b69d1d8d3c5fa8b54d52d42b52d8e65526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
872B

MD5
747e1db31bd8b3879995251822033d9f

SHA1
e32cbed0aa81525bd023bb6369433723d6c23770

SHA256
15e935f31e1e03b9a786c80ef7c6f6fa0be7278cd5d533d846fd928717796507

SHA512
ddc4ae217b4b2733b3ee54871e8992ccdb433f1928dda89751af464a670811e861d28238c8058d264e94d01a47040d04e0dc8e113f01992b7ef55f3df932409c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ba2e.TMP
Filesize
370B

MD5
0d14a555947edcb6c736ebe2e2b51ef8

SHA1
d4d0ea72751006cf7bd52bccfbb4076185876bd5

SHA256
7ec4baba20bd1061ecbde5afb70562aab158009e61caf43824b65eba70e65997

SHA512
ab732e2eb506697cf6067c4cb75a7a8177799b7b4c12dbdf2e08d82c019a74055abf2bdae4a1b1f100712ace816b913b02f8e948380b752b927730aece0fe9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
bc2335120603ba6dca2e4be2ad585821

SHA1
eb0d6cbfa70ca0db13c721af3f2aa42ad96aa8ee

SHA256
a34f506881e92654930c648a60e95bac306c989c2e1d9bd5a41f06f86bef7e97

SHA512
063b5e16340cdfa0d80c3188e491f297e4ff7c859ed8353b2b0de94080b18aa5799666eafbd5c9960d2cd8b462fb8d8100b679d5dbd138a964967e608ef75203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0dba547939e0052e3cb7f442164de3e1

SHA1
659b815e440ba126014af5fd42d5d507f15bf2db

SHA256
4badddc9543a538b183078b3eb7dbedcb9b116906a7dbb4efb31d8459121e952

SHA512
a5c084ecbf87d1f0fdc58e75b41dc560af3e1e178d447dcf969b675726628b7b5faebaa06182201afba788924dafd5631b19243e90f57ad1729a0b8d9c6eb7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
8463c9719e0ef56ec4f6a5e1a45dcf0b

SHA1
bf13c6344daadffc0b581025628dd2fa384ec0cf

SHA256
7b06825007079fe39ad6b142f1ebf93fb45dc754e6e6aec8a720e33fe57fe2c8

SHA512
77d422c5a085863881d27a6d1012b1994129cef46e76bbfab18c1e5096288a72b98ec10dfed39b723b370482114e4fae27bb10e47ef8cbb55859573d28704df6

Download Submit
\??\pipe\LOCAL\crashpad_4832_OICVTMAPZRHYEEZW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5440-200-0x00007FF8E3A60000-0x00007FF8E3BAE000-memory.dmp

Filesize
1.3MB

Download
memory/5440-211-0x0000029833270000-0x000002983329C000-memory.dmp

Filesize
176KB

Download
memory/5440-212-0x00000298332E0000-0x000002983331C000-memory.dmp

Filesize
240KB

Download
memory/5440-235-0x0000029836340000-0x0000029836376000-memory.dmp

Filesize
216KB

Download
memory/5440-208-0x0000029832D20000-0x0000029832D2C000-memory.dmp

Filesize
48KB

Download
memory/5440-209-0x0000029833220000-0x000002983323C000-memory.dmp

Filesize
112KB

Download
memory/5440-206-0x00000298333B0000-0x0000029833556000-memory.dmp

Filesize
1.6MB

Download
memory/5440-201-0x0000029833FB0000-0x000002983501C000-memory.dmp

Filesize
16.4MB

Download
memory/5440-199-0x0000029814650000-0x0000029818730000-memory.dmp

Filesize
64.9MB

Download