Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-04-2024 06:43
Static task
static1
Behavioral task
behavioral1
Sample
.html
Resource
win11-20240221-en
General
-
Target
.html
-
Size
146KB
-
MD5
9602cce3290d442ff57b8defb95bb82c
-
SHA1
46b40c8ad2b8d5a36719805f12b40389120ed425
-
SHA256
f57b75f9a8011bc2f574388d79cbbb75a09cb56b3598bf1d2cc11f26b01f76f6
-
SHA512
b6c765abf9a3f9abe61da82a87012a6f67999e4f96063b2781de67f95ca638633eedd545ddbea7b6f245188128825a685852c683987e995fd277607037fe9407
-
SSDEEP
1536:omkyd8LFVMUK4DgnVR4DBllKoVkL30vD9329s4D+HhqiE:1kzLFoVsllXmxYHhqiE
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002a890-435.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Downloads MZ/PE file
-
Executes dropped EXE 30 IoCs
pid Process 4984 CrimsonRAT.exe 1900 dlrarhsiva.exe 1596 CrimsonRAT.exe 2136 dlrarhsiva.exe 4724 CrimsonRAT.exe 1276 dlrarhsiva.exe 4232 CrimsonRAT.exe 5024 dlrarhsiva.exe 2404 CrimsonRAT.exe 1468 dlrarhsiva.exe 1536 CrimsonRAT.exe 4816 dlrarhsiva.exe 8 CrimsonRAT.exe 2264 dlrarhsiva.exe 3712 CrimsonRAT.exe 4556 dlrarhsiva.exe 4164 CrimsonRAT.exe 2152 dlrarhsiva.exe 5728 CrimsonRAT.exe 5796 dlrarhsiva.exe 5936 CrimsonRAT.exe 6008 dlrarhsiva.exe 6100 CrimsonRAT.exe 5144 dlrarhsiva.exe 3240 CrimsonRAT.exe 3852 dlrarhsiva.exe 2016 CrimsonRAT.exe 1556 dlrarhsiva.exe 4696 CrimsonRAT.exe 2004 dlrarhsiva.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 raw.githubusercontent.com 53 raw.githubusercontent.com -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{FE369B5E-CADC-41A4-916F-43ABE0CFE5B6} msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 101037.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 228 msedge.exe 228 msedge.exe 568 msedge.exe 568 msedge.exe 3244 identity_helper.exe 3244 identity_helper.exe 3908 msedge.exe 3908 msedge.exe 700 msedge.exe 700 msedge.exe 3712 msedge.exe 3712 msedge.exe 5872 msedge.exe 5872 msedge.exe 5872 msedge.exe 5872 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe 568 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 568 wrote to memory of 2352 568 msedge.exe 78 PID 568 wrote to memory of 2352 568 msedge.exe 78 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 2900 568 msedge.exe 79 PID 568 wrote to memory of 228 568 msedge.exe 80 PID 568 wrote to memory of 228 568 msedge.exe 80 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81 PID 568 wrote to memory of 4944 568 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb39ec3cb8,0x7ffb39ec3cc8,0x7ffb39ec3cd82⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:82⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:4984 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:1900
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:12⤵PID:1300
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:1596 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2136
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,2538487743444775078,10221291679022331055,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4864 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5872
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1588
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2524
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:4724 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:1276
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:4232 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:5024
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:2404 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:1468
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:1536 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:4816
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:8 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:3712 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:4556
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:4164 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:772
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5176
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:5212
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:5728 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:5796
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:5936 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:6008
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:6100 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:5144
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:3240 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:3852
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:2016 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:1556
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Executes dropped EXE
PID:4696 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
1KB
MD58e0f23092b7a620dc2f45b4a9a596029
SHA158cc7c47602c73529e91ff9db3c74ff05459e4ea
SHA25658b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034
SHA512be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5df1cbfb57b0c4d9f021cae10716ffce5
SHA1ff569df5910aa77cb66958cedd52469d17f23132
SHA2568fd56a5fb5e3f543783caccd4a300f67209164751a2eb7047d8e07b8e7842e9e
SHA512bb1bb84e299413c7f7b7abaa529e0d89f222f274a21b30c048cc12bda9e40689f724971d9b4fe9450ff98154746ab4bc97a16d0ae7a87a55c89f671507396159
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD56c52869b4a2c5737cbb1c4cd7715629b
SHA10107c183561de29d3a102b89c037c3cd403f26f8
SHA256aa8e449864ce04e610438b50ed6c278eed16dabf9cbb734741cffaaa3a241ec0
SHA512d080bb3c74d12fe56fdeac7c13cf8dbf9bee0b7ac34306a44a2c4c49dab50c2c5c60ee16d0718c5c0228131783f451b6ba79f76bc3991c9d3503343a50fbf5ac
-
Filesize
5KB
MD53d7c725f0d6727b659d660e850333c11
SHA18bfbc45df167b788c54854d5edcf999d3ad9c7f0
SHA25688ee118da8ed9a63ceb5148def7130474a415ce74e16137b0b32e21e873d9c4b
SHA512b25fc905b1038d750cabc1468fe752e9cd61fe3079f8e86fcea0c14ea8c47294e86356315ca519e55ec3474085f19577133228046d7ad0ac20093b114952c9ef
-
Filesize
5KB
MD5d575e2e76aa0b711d2e9cbadff22b615
SHA150bdcf815ce38582dc0c22b552f67c1930f062f6
SHA2569f5281cf1c048f01777c9c7e71c48a3b9937b836c1558edfcb108497d6e29037
SHA51281915e87e86bd50be7349adb3672c2ed765fc0198bb0d98cf934839b348594370377a75f061ffd2bfd845c35e89aa6e5a6b783ad9041918a35d9ec51362bebab
-
Filesize
6KB
MD50adeacc891e59ebd865f7481f039aa5e
SHA167fa199d31bc4f2acd106849e65c593b83662e67
SHA256e13910f10b0bfb1f4b5df2ceb158bfa66c9e423ebdd5beea06c1a9f62923c1c1
SHA512b87abd2028060fa166a80558efbe118c7a30c6b4787380f02464cd8ca88f4588d9d73a287de9f364bf70ce14d2c92f25f592a6763295829b4c2f926f1d6a3f5f
-
Filesize
6KB
MD58109da5c2d66e2177069f383684bfe26
SHA1b03b047492254152b1f6c6a7b402a0e499ff8d08
SHA25653c1ad19f39cc58857e1859bc8af6c93201b0f886c29609645c6c2483f2cb17e
SHA5121868b668b168a6e8928f66661f4c01aec40264326abbb02fe0d50e17c470bcf72d7b30fe0fd04e70cbdfaf69ff075c4435f59d33a280f169e5a08fe7fa427977
-
Filesize
1KB
MD505ecdf35eb02a4286344ba856806b2d7
SHA1a9cc56f929ee623a7c90d3fd929d1969b3b58e39
SHA25653320e88157ed07094ef06633feb63546e8d8fc61951bb89f03437bb7f5ded0e
SHA5126c03b4876b9fb14dfbe558a9597f9284cc9680223a5fd8959f9082bc329dd75ef0020a5188c1efa5d34a1b46e32e6e9a0627b1773039566fce7881ac61492579
-
Filesize
1KB
MD5c14241428f85f7a99194efcfea5e0510
SHA1346cace69d1f7fafe01778d7c0ec09bd734cc5d5
SHA256ff61f1b7ead4bbb4ec67731a55ad4978868805b88ccdeaba4d2d0391fb30526c
SHA512a073c382930636fa128608a1e7fbff628eaf244fe2223f69b8f3625f657db3bdca0e63817fda89de7d36c0ded548cd8324cb38a6231123da6cf249baba915aaa
-
Filesize
1KB
MD559872c355d77525141ebc28c0fd422d3
SHA1bb16e62f24ae4d49b26e95928830546d6691345f
SHA256ed7c77580569be8dab4b49840b2cf67f2895733e3dcb4410485bc43cf0d4c374
SHA51249236b00425b203919782f92986a5925ac13edbd885b8ed4c21acda21cb3400579fae8d9efc82e5908335a3419fe2dcc880f3868cdb4ff1ebf45c0b7340d71c2
-
Filesize
1KB
MD5ff704cdb82e0caa20585a407af61e292
SHA1dfa41f00fc755e00b29bbe95595f6f069e8ac700
SHA25643550d49ab5a5c5447fcf7ea053b13a2846745f346b372ff75956443864075bb
SHA5127ea4b2c2d48c0f2435055fdf724f692f669a1df707d1a7c50dca4fb3ab8bf71282119cc450772121264184d424d2fead64a22b51cca2e8a2935ccd6851c88564
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5646dc98d39525e43d108f49600471741
SHA1dfb17e05f17603428f305ac167ee02909d790bde
SHA256a1abc93e98b3006c1f8ad20faae6b08a5f5c3ed0f006c53aefef2257707e669a
SHA512e0a6f2059b1a0d1cf9257e2cc1b0967bbce50656964a9ee3de960cbdf667a7007c083e55c3cf73e2724f99243d9260bb885d38bcc95285c4c8c2c2b45b8645d0
-
Filesize
11KB
MD5a4fa0b4a922e7c271b1651f7ec66c405
SHA1e3a1d0d9182b2143750361192bc1729107eb6673
SHA256bfbf4e3e7f957a4c9cee1c723d8312717ff5a30eb063b06ac94a754bc27f1bb5
SHA51248979ebe16653aeb76d6fa222f91fd9b2a87105bbb38850e9a5f9d95264cdb5eccc7ae5bb9e0a2094b885271f6f926a01803be9c83186e5957ac90bd5028ffde
-
Filesize
11KB
MD56b3d22659d3aa7f025f8a8c9d9ce4ab0
SHA18148c23528f1e84b43379af9b64f3bd736e6f417
SHA256a4f1fe11ae971289a08ea14b92793e26a170eada5570fdfa9f657b5121a4cf79
SHA512626af154834cd7ed99b2e84f0b0023ebefec156be34fb37dbbe73429a14aedb7917372d8419ac88b44d9d10c7d9d65a73d984e6cdd1253e840b8a9634f686c6f
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741