Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 19:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://a
Resource
win10v2004-20240704-en
General
-
Target
http://a
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x00070000000235fe-963.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Executes dropped EXE 2 IoCs
pid Process 180 CrimsonRAT.exe 4488 dlrarhsiva.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 116 raw.githubusercontent.com 117 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{76045808-BA0A-4BCF-B84E-B095EC464942} msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 21908.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 691947.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4464 msedge.exe 4464 msedge.exe 2852 msedge.exe 2852 msedge.exe 1012 identity_helper.exe 1012 identity_helper.exe 1340 msedge.exe 1340 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1152 msedge.exe 1312 msedge.exe 1312 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 3768 2852 msedge.exe 82 PID 2852 wrote to memory of 3768 2852 msedge.exe 82 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4976 2852 msedge.exe 83 PID 2852 wrote to memory of 4464 2852 msedge.exe 84 PID 2852 wrote to memory of 4464 2852 msedge.exe 84 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85 PID 2852 wrote to memory of 1572 2852 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://a1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa659646f8,0x7ffa65964708,0x7ffa659647182⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:12⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:1596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:12⤵PID:4568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4808 /prefetch:82⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5828 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:12⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:12⤵PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6500 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6664 /prefetch:82⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵PID:2264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6640 /prefetch:82⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:82⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,7113201080653553849,7262140203910334247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:180 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:4488
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
152B
MD5210676dde5c0bd984dc057e2333e1075
SHA12d2f8c14ee48a2580f852db7ac605f81b5b1399a
SHA2562a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5
SHA512aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017
-
Filesize
152B
MD5f4e6521c03f1bc16d91d99c059cc5424
SHA1043665051c486192a6eefe6d0632cf34ae8e89ad
SHA2567759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1
SHA5120bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
69KB
MD57d5e1b1b9e9321b9e89504f2c2153b10
SHA137847cc4c1d46d16265e0e4659e6b5611d62b935
SHA256adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af
SHA5126f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
41KB
MD53358e831188c51a7d8c6be54efafc248
SHA14b909f88f7b6d0a633824e354185748474a902a5
SHA256c4cd0c2e26c152032764362954c276c86bd51e525a742d1f86b3e4f860f360ff
SHA512c96a6aae518d99be0c184c70be83a6a21fca3dab82f028567b224d7ac547c5ef40f0553d56f006b53168f9bba1637fdec8cf79175fd03c9c954a16c62a9c935e
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5620dd00003f691e6bda9ff44e1fc313f
SHA1aaf106bb2767308c1056dee17ab2e92b9374fb00
SHA256eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586
SHA5123e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006
-
Filesize
18KB
MD55446f649b148b51fe2520602efcf6927
SHA10e47c938cd0139db80da7477dd0727c0e03d0630
SHA256baa8b18c0322b9768b2424bf0299986c6dafcbc43e54f90e4abcfbb0185a0625
SHA512fd5f656ee5f5d428f91672b46038a146d8b1105919bc748c837f7552ce3441c1153054abe346abc0f158cb4bf9f8c28e5df956dc3f676de601a0b666425ba8bc
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5bd899de62d74adbfd6ac55dc6912bc7e
SHA18590bd250e7606c863a47f2e8e3cf29936545494
SHA256c6fc30e685f8826c0b071a8a1eb00aed578fff2d357691d704afd00d776b572a
SHA5120e160315be053842542136a20ed053ad42f1b94a59ca182c587f76869969b5ea6ae8e8d19fe2cd1970e85f9f82ac86d952d8de7598f3cc05b1a1c7463395716c
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
1KB
MD504827476a5d5f27e356e6f864a2e6480
SHA134584311a46ad20b48e525671b0c6d0bc96a5823
SHA256f561a5afd93a0aaa6d048305392bfde515ce33c406eed476e45ab8270261ffc4
SHA512af5e1bc039ffa4b277d0c8a8cb55ca24d03abab139d3354eafc29ed4961acc33eb1ddfb3c9373513b9d76dbecfd57e7b5aef41716d3806218def9cf2607e5b4a
-
Filesize
6KB
MD569ecd575febb9d1ca7bf43e36068e1e7
SHA1e68f66926cb99a32a1ed2a7c4c4f3b8ce62c386b
SHA25672c63823d76d2784205dd831971d9bd06cec64c5c7f745b6c2db2547f512c2ea
SHA512aff543b44bcb250da2409bfadc1ddb4d0825b31d3d4ad2e75fa0f629276daabafa1536214c9f50d591a1bd738cc01d9146c7592891f36372c5b05d862f0ea6a3
-
Filesize
6KB
MD5e5c483d0d560a8caa445f8231ea2f3cb
SHA11b573ca45286c2c0dca1f32fc40230130f105683
SHA256f73e4832e07b46f00e3992dd56b66de9a4510478bbbe358ccb7bd748368bed85
SHA512a8721c9b39918aaa98dc08d2891c5a3ea58071b1fae96c5153dac35f6ba1a842d032f9bb6aa4751eb7d05b7da9e46ac88c859e4432c4908c58853945cccd909b
-
Filesize
6KB
MD5745c137c52e0460195e820428cef3c73
SHA18a74f2ea8ffe9a432c10c94701f3770cbc47b333
SHA2567281acbbeaeaf91391f3b980bade600e92a4bfd316392ca3184dc8950cbae873
SHA512fe7a33bb183e0a25ff683a76e0148804a9df875c885d2d4e849f44960b8853ef3cfbc96c77a0bb3bea128db0aa4e807ddb03c1d704ab5c297b171a8897cd682c
-
Filesize
6KB
MD5577cdc3573d90ed52ded64431df7a5ad
SHA172cdaf1ba890392af1f84d69fde5cf5b5a73076d
SHA256055671652890aa176b5944e51e9187b5021390c471dc9398955e4c88ec12cd1d
SHA5124ac85643546f94bf38637ac812e7dc07a7b3f87f4230f2ba1147300d095f0be075ad26167018705af98e706204a0eb8f44db2e3c8a983a1c7637af782e7b27ba
-
Filesize
6KB
MD5d77b3b219c3c0944b41d7435f5293366
SHA1b84c5b3951594ff96d5029bd0e7cabfb548c3172
SHA2561a9174b6cc42441fa15a1a5eebc6178edd4da693c2e6736e2fc91989721459a9
SHA512eb98ba817f5a3ef94a9740d2f5ba06b27b0aa4c7f390fae49ad5f6a8aedfd8b05bc80cbdb04eede3be20811c598281753df62f1f7df815cf276004775711159b
-
Filesize
6KB
MD5972fe08ef6b2f34daae1733df367e8bf
SHA1bbbdd585e47f4af16cf198b2b4257773ccf5d60b
SHA256970373d3b67386471ae2841068835c22d840fecb1cf1e1429d731358240f1cc1
SHA512435cc86ab1b40eadc5621f23cdde90df1793fddd6e008c2aaf3c47c6263191b5664cf29fd9065c495fa0c07c5cd4884d0fa4876f811b03a7ffee99ace00cb119
-
Filesize
536B
MD5cb8068adc5c1defe600559abad0e606a
SHA1c0217f9ab5f25d6a129a55ebca93adcf0fdb5f72
SHA2561a5d74f387cbc2e79f3d685bcdbe61e633c7b84b2ebcbd114fe9259e2ae4809a
SHA512e3eda900408cbdfd8fdc839f1c14697dc7454e12a754fba2541989130630cd41b3099b08cff5bfd9c0c6d8d6da388a8871529ce3a0b1139ebb1f6db2cd72bd19
-
Filesize
1KB
MD5ff0fc9537687836a26e3e71ce5ac4b7a
SHA10e83a940744084eeb72426df2dcde54f93b2f01b
SHA256ed595d3ba8828a49921fa211620d73d546c0d9b1b6d6226e711d1062f3df88d3
SHA5120e1f4d3da982f1eda075f5a5ba4d57de3f85d6943fc2a494551bc9f6d9ac8f6fc5fec7096189fd1341ade1d7ae0ed2e0fe7be4913593dd5e03d667d3d612ca99
-
Filesize
1KB
MD509e56edb9fc7a9293e2f4b1335542614
SHA153f28c996fbb0900b671cf545ea56790e50f28b4
SHA2562b8b46115cd595261d0bec3fa5231b3421e52c7a4534b078333df899429a2815
SHA5125cf32c31c3559431b1de00e58842005d8da37968a5fdbe21ea0176b7d9a1b530b72a7f0c2282cf741d054836266198f10da2c8c8940877d6cfbf075f186a0670
-
Filesize
1KB
MD54d3d8bba0b303e7af32f3efee92c9749
SHA1c402ee62c0663127c62e3fec7b750038d5802952
SHA25660b29776fb26c90894a86b779baaf2dc6a8a81cba8bba29aa84b4eddd260b52e
SHA5126dd39f2cdfc56189c0a0e20387802985b1f99834245cc7f88c74a809cd27197ebda253dbfc9c8b845f1f63ac88665cb51f2a6b49d8ea550332a792309f38a8d9
-
Filesize
538B
MD5f67ea57d8917e5be96b99c5cd7db162a
SHA1346cd405a002ad324e46ffd6f088cafdfeb228e8
SHA25636d005336e5911444f768770fa67623c14d157acc50d129b462cddd5e66c6a78
SHA512e0b60781152e83f6c57055306c7a0a62c6f007a81819ed3d95558c19fd73c8db7b9aac3baf4cb53be76f3886d683772d4c6d41007e23305c7abc71e07d85e2d2
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5c876f87fb5ea2f0c93101d679ff9f08c
SHA197095514c9fd8c8489bf76bd758bf1c8bbfb9395
SHA25693a6f276bda3caa3e031c2fa470058e83922266a05cc705045ff6a7251f6debb
SHA5121b2047a408755065aa69e6d96bd9224268403f8259b2737b24c27a284ea26b6d57cc7ada6a5e94e7a6cd9fea115ffd5d5803adfbd15ec20e7795c80794faa945