xworm | hxxps://teletype[.]in/@thread_type/IGorbHrQvQk

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	CraxsRat V7.6‌‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	smartscreen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk	smartscreen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smartscreen.lnk	smartscreen.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.lnk	svchost.exe

Executes dropped EXE 5 IoCs

pid	Process
3988	CraxsRat V7.6‌‌.exe
824	CraxsRat V7.6.exe
2964	smartscreen.exe
2168	svchost.exe
3512	svchost.exe

Loads dropped DLL 10 IoCs

pid	Process
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe
824	CraxsRat V7.6.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b579fb85-aac9-4d9b-b1d2-3961e498b9ee.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241109102702.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CraxsRat V7.6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
856	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon	CraxsRat V7.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk	CraxsRat V7.6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.apk\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\Craxsrat V7.6\\res\\Icons\\apk.ico"	CraxsRat V7.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5664	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2964	smartscreen.exe
3512	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2704	msedge.exe
2704	msedge.exe
872	identity_helper.exe
872	identity_helper.exe
1340	msedge.exe
1340	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
5772	powershell.exe
5772	powershell.exe
5772	powershell.exe
2956	taskmgr.exe
2956	taskmgr.exe
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe
2956	taskmgr.exe
5240	powershell.exe
5240	powershell.exe
5240	powershell.exe
2956	taskmgr.exe
6048	powershell.exe
6048	powershell.exe
6048	powershell.exe
2964	smartscreen.exe
2964	smartscreen.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
5528	powershell.exe
5528	powershell.exe
5528	powershell.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5300	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5300	AUDIODG.EXE
Token: SeRestorePrivilege	1140	7zG.exe
Token: 35	1140	7zG.exe
Token: SeSecurityPrivilege	1140	7zG.exe
Token: SeSecurityPrivilege	1140	7zG.exe
Token: SeDebugPrivilege	2964	smartscreen.exe
Token: SeDebugPrivilege	2956	taskmgr.exe
Token: SeSystemProfilePrivilege	2956	taskmgr.exe
Token: SeCreateGlobalPrivilege	2956	taskmgr.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeIncreaseQuotaPrivilege	5772	powershell.exe
Token: SeSecurityPrivilege	5772	powershell.exe
Token: SeTakeOwnershipPrivilege	5772	powershell.exe
Token: SeLoadDriverPrivilege	5772	powershell.exe
Token: SeSystemProfilePrivilege	5772	powershell.exe
Token: SeSystemtimePrivilege	5772	powershell.exe
Token: SeProfSingleProcessPrivilege	5772	powershell.exe
Token: SeIncBasePriorityPrivilege	5772	powershell.exe
Token: SeCreatePagefilePrivilege	5772	powershell.exe
Token: SeBackupPrivilege	5772	powershell.exe
Token: SeRestorePrivilege	5772	powershell.exe
Token: SeShutdownPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeSystemEnvironmentPrivilege	5772	powershell.exe
Token: SeRemoteShutdownPrivilege	5772	powershell.exe
Token: SeUndockPrivilege	5772	powershell.exe
Token: SeManageVolumePrivilege	5772	powershell.exe
Token: 33	5772	powershell.exe
Token: 34	5772	powershell.exe
Token: 35	5772	powershell.exe
Token: 36	5772	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeIncreaseQuotaPrivilege	3420	powershell.exe
Token: SeSecurityPrivilege	3420	powershell.exe
Token: SeTakeOwnershipPrivilege	3420	powershell.exe
Token: SeLoadDriverPrivilege	3420	powershell.exe
Token: SeSystemProfilePrivilege	3420	powershell.exe
Token: SeSystemtimePrivilege	3420	powershell.exe
Token: SeProfSingleProcessPrivilege	3420	powershell.exe
Token: SeIncBasePriorityPrivilege	3420	powershell.exe
Token: SeCreatePagefilePrivilege	3420	powershell.exe
Token: SeBackupPrivilege	3420	powershell.exe
Token: SeRestorePrivilege	3420	powershell.exe
Token: SeShutdownPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeSystemEnvironmentPrivilege	3420	powershell.exe
Token: SeRemoteShutdownPrivilege	3420	powershell.exe
Token: SeUndockPrivilege	3420	powershell.exe
Token: SeManageVolumePrivilege	3420	powershell.exe
Token: 33	3420	powershell.exe
Token: 34	3420	powershell.exe
Token: 35	3420	powershell.exe
Token: 36	3420	powershell.exe
Token: SeDebugPrivilege	5240	powershell.exe
Token: SeIncreaseQuotaPrivilege	5240	powershell.exe
Token: SeSecurityPrivilege	5240	powershell.exe
Token: SeTakeOwnershipPrivilege	5240	powershell.exe
Token: SeLoadDriverPrivilege	5240	powershell.exe
Token: SeSystemProfilePrivilege	5240	powershell.exe
Token: SeSystemtimePrivilege	5240	powershell.exe
Token: SeProfSingleProcessPrivilege	5240	powershell.exe
Token: SeIncBasePriorityPrivilege	5240	powershell.exe
Token: SeCreatePagefilePrivilege	5240	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
1140	7zG.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
824	CraxsRat V7.6.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
824	CraxsRat V7.6.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
824	CraxsRat V7.6.exe
2964	smartscreen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4428	2704	msedge.exe	82
PID 2704 wrote to memory of 4428	2704	msedge.exe	82
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 1904	2704	msedge.exe	83
PID 2704 wrote to memory of 2076	2704	msedge.exe	84
PID 2704 wrote to memory of 2076	2704	msedge.exe	84
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85
PID 2704 wrote to memory of 544	2704	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://teletype.in/@thread_type/IGorbHrQvQk
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc4c7646f8,0x7ffc4c764708,0x7ffc4c764718
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2504 /prefetch:2
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff623775460,0x7ff623775470,0x7ff623775480
    3⤵
    PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,8739724108242198949,15358468553051146167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5096 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4364

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Craxsrat V7.6\" -spe -an -ai#7zMap18552:88:7zEvent25366
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1140

C:\Users\Admin\Downloads\Craxsrat V7.6\CraxsRat V7.6‌‌.exe
"C:\Users\Admin\Downloads\Craxsrat V7.6\CraxsRat V7.6‌‌.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3988
- C:\Users\Admin\Downloads\Craxsrat V7.6\CraxsRat V7.6.exe
  "C:\Users\Admin\Downloads\Craxsrat V7.6\CraxsRat V7.6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:824
- C:\Users\Admin\AppData\Roaming\smartscreen.exe
  "C:\Users\Admin\AppData\Roaming\smartscreen.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smartscreen.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6048
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft Corporation'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Service_Host:_Network_Setup_Service /tr "C:\Users\Admin\AppData\Local\Microsoft Corporation\svchost.exe" /st 10:35 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5664
- - C:\Users\Admin\AppData\Local\Microsoft Corporation\svchost.exe
    "C:\Users\Admin\AppData\Local\Microsoft Corporation\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1317.tmp.cmd""
    3⤵
    PID:4016
  - - C:\Windows\system32\timeout.exe
      timeout 6
      4⤵
      Delays execution with timeout.exe
      PID:856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery