Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 13:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.free robux.com/
Resource
win10v2004-20240709-en
General
-
Target
https://www.free robux.com/
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x000a000000023405-647.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Executes dropped EXE 6 IoCs
pid Process 2300 CrimsonRAT.exe 1172 dlrarhsiva.exe 2612 CrimsonRAT.exe 3772 dlrarhsiva.exe 3624 CrimsonRAT.exe 2644 dlrarhsiva.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 175 raw.githubusercontent.com 176 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2990742725-2267136959-192470804-1000\{A61F174A-B706-45E1-BB93-38C4555EAD71} msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 710660.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 387029.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4828 msedge.exe 4828 msedge.exe 2188 msedge.exe 2188 msedge.exe 2564 identity_helper.exe 2564 identity_helper.exe 4488 msedge.exe 4488 msedge.exe 760 msedge.exe 760 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe 1132 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
pid Process 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe 2188 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 4940 2188 msedge.exe 85 PID 2188 wrote to memory of 4940 2188 msedge.exe 85 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 1240 2188 msedge.exe 86 PID 2188 wrote to memory of 4828 2188 msedge.exe 87 PID 2188 wrote to memory of 4828 2188 msedge.exe 87 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88 PID 2188 wrote to memory of 1120 2188 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.free robux.com/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffde74e46f8,0x7ffde74e4708,0x7ffde74e47182⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:12⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:82⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:12⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3384 /prefetch:82⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:12⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:12⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6128 /prefetch:82⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5052 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6224 /prefetch:82⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7272 /prefetch:82⤵PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7400 /prefetch:82⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2300 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:1172
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2612 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:3772
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11331197077602960702,441284621251781190,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7100 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1132
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3624 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2644
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
1KB
MD52d2a235f1b0f4b608c5910673735494b
SHA123a63f6529bfdf917886ab8347092238db0423a0
SHA256c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884
SHA51210684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086
-
Filesize
152B
MD52f842025e22e522658c640cfc7edc529
SHA14c2b24b02709acdd159f1b9bbeb396e52af27033
SHA2561191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA5126e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05
-
Filesize
152B
MD554aadd2d8ec66e446f1edb466b99ba8d
SHA1a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA2561971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA5127e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5bc2f4c4ffa1e338ab1e2afba2c0263d0
SHA1b03cc0dd3f8053b63f0d9ab4ac31d20ab056046a
SHA256e3a94765c4a2e42a26eacc70c7baf4bef9e297366e282976da1af40dd302ef7a
SHA512b3229c6838ae835bf5d77a3872398b070283ff1ab5d6bfac60dbc170fb5291a917c47bb836d53e4428dc129b95473b435fa598f499b895a1568dcb5344d71986
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5ab7389d5ddaa54f7988ab80a6d3aa0e7
SHA1f49aa75cc61e3d12f9c5c5d79f0ea367f4a87bf6
SHA256eba63fd62fbe4fa578c931f627890ded68e473dc851fd378318319eaed951f88
SHA5122df53a496e8c7d6f756acae9f29898ed01a1089b7c468915360696480e835b3555b820ce3a6cda8e9132ec3746c64cd8a8060333cabd8e64ba46405a1c5e5105
-
Filesize
1KB
MD5affc68cf8f3c844bccdd0bc4e2f4cf3d
SHA12e5f5b81d2a53d51348b7214483791b0d9b708f8
SHA256ba75fdda2e77760dfa3a6aee561ef7e447849ffff1d5a9ba046000ec6595e725
SHA5126bd6e2e10eb63914d31d12c2c9d07926ebbc7044f4a63eb478b4f1fd54abcb53f4039b8666543b36ebe4c7d114fe126558f3317e0a8f59bab996e32fc9860ae0
-
Filesize
5KB
MD564afd81893ab50221a5c04011d54aeba
SHA15acc174a22d67d110874c0a45346e5d1d5071eda
SHA2562de6d7029a1d6c60949a4f0f9b4dd0935c3e9b17cc59b6bc0f63c76fefb5dc84
SHA5120dac5efdc332e25fb54033149f913dbb2b0e9e8894e1c5b220c6620b554cc38b7b4e7d9cd465d8eea31593fea4e35c794ddcae6293e2ee66152297e8140cf559
-
Filesize
10KB
MD524533ce24d140618e11f322164a39380
SHA1acc3df7004dc25a43f3a0b882af73dd8990ce7f9
SHA256dfadd4559053926c401a217268290fa9c902c0dcbfb2617adb83d4b08c8b112e
SHA51279f15d74eff57aabb39ed9385f0bb75dcfdc008e85e62c90287409cb1ab676110f629c82d214588ea74180ca84aef7ca0deeb9ebefe84ed7dd4b172e2ae7d16e
-
Filesize
6KB
MD585d9b399beff1be9fd5c07766cbbfc2c
SHA1d0c964ef8c600078e885059a67b540b5a499543a
SHA25675ff1446b0bc6cdc2d52bf52aa74bb14167f6b982a4a284dab22284de4e5c216
SHA512bfcccfe71a50638c8ce0e2c285efe3c8063ab585bcc42404649af5a2eac4cddea087bf4285c978a8e48e0a967c99ac224c9b670b282f32be97959c42fabf792f
-
Filesize
9KB
MD5215812c0953196771db857cc7d24ed75
SHA19a2d63e0cba6496095871eab44c5e6b899f9d235
SHA256f791b51906e976014acfd9d48db2fb5b46b8715d6177f261b3cb36309cb828b1
SHA512c2bd0e13d449e5c198c0d09929813b4d57cd3742699fc805a5c4a9abc19d3e1f214a01d8b2467c6161bb1a83148087e27b1d24e7c35469ff0b80a9a7b3af931d
-
Filesize
10KB
MD523e6c84aeaaa9759c4e927bcf0a616e4
SHA1f09bd59cf7d943918b92527e28957512c49e7697
SHA256fceaba33c38f9ff33694b2dbd7a594db0c69abfd78810850e0c6777a3fd301c8
SHA5126a074767e9e6f68bcdd68c268d02e10a143468f9e11a87efd0afa13ef808c542cb2b47b822580724cc7b6cd3af0f203253f6fd52ef6f5792303f71df833da142
-
Filesize
9KB
MD58ef20dc69d7e794a5021dc9554f4736f
SHA10378cf9d42f65704465fd3b70d9d1d5ba3d2f486
SHA256c5b6bd14b8c1f549bf2bae604e799752e5c556c8a94e3330bd42d0e494c04384
SHA5129602975f60060147cf702da5f2facb87706eb368fd7a1d01e0f1a292e9566a1a0705e74a2ced82e45a0e1c1d19ca161dbd08fe8b38b7c92841b70dd2af80de49
-
Filesize
1KB
MD5466f58b1c8345d58cfea31aca1e3af5f
SHA13ee3473dcd4bf8e88e9f0edd04c2b8a7ed965183
SHA25645364ecbb717d458a4fba13cda3140d72b3e134e311143aeac1ae3f2124b2231
SHA512242c771acb0c7f307d37447da785146f9125c803dc3f2755173f7a2a03d5667da8f2e83150af00f3c136408d5e14815f68e696e306a85f1d563145b6132e9bf7
-
Filesize
705B
MD55d7afa1ce138a9404446c5faa1e6b8a2
SHA16a902508af303d4017bd3aeeea209d97cfc49059
SHA25679c00bad3ebb6f39cef549e8310db151a596a718bc6d8cfa3f89ef6e9e7dd988
SHA51289d472c661383920589cffc69d28b8e8793c3bf5d10615835facf59c089564377842562d0b8d34b4ae6d3c1bb8f70bee722f93c6f150bb0bae901ac7d55dd9f6
-
Filesize
1KB
MD519749dcd410b101aa52e221d8149f15c
SHA160481f3ea64701ee45b0e6bc4b0313744a2e47a7
SHA25629836a47fdb32ba3ace3074f1b2df7e84bb5b66e5195953ca7770d9367da13ed
SHA5123795e365d6376cb41cbcbcd80345c2c67419290253cddca462c6b2c24755916da8d061613dc26496212c93d01152e53c04477d54d54f04fb2c037b11318603e7
-
Filesize
1KB
MD520d70b718e63bf0412c495bf62aab457
SHA138cbe8a64e5a48e0f778f19305c61a2ecdb19bcd
SHA2567e42d3ec9073fbcc2e9e382663483d6c8e5b286c2134fe75c52f7eafe7cb350f
SHA512e38356623990814108b5ff67c852de7b05e918263b1c8128731cec8eb7d24b8662117070249a454bdafc2e72b8a6cda116f761785fe8424b7f4d627d589712a1
-
Filesize
1KB
MD5df1681f67d06c8f290569969891c7836
SHA165c28718d130d334a302b5971aca225ef8caa38c
SHA256bacdf4b26921637fbec86d462ebf5de942034675720946d562474ecfd4aa4724
SHA5123069e57c0ec8aa963788fea9815f70ebe85c0489d838b775d4c97c092f9cc8eb1ac9ad3017a6f5720d1e63f8e1b9ed49e95f473b896833317427702f4c2d4fe3
-
Filesize
538B
MD50ac1944a0b2f40281c7d486c62b90ce5
SHA195db06dd5aa16d4e45cef2d4b03addcc92a9084b
SHA25651fdcccffb2069ed9bb3fed6ae8a7a398c4fda47b646e53ddcc0064bba46cacd
SHA5127c0aeea0ac90cbc9dd02a4e066d3bc672decbcc4cea34a95ee5810de735f5b73198bc30e214480347b3df4d44d5075225944b32543269a80611c12bce39dcd40
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50d0f95e94eec218dff605ec8271f1298
SHA16ec2dce9d199d5cd66af614801a3b826500ad3ff
SHA256546096a490abc8ba293cad53766ac055331a48acffd36d2437bd72182241f5b0
SHA5125cb61a131869f288ec57a9c5d3d40dd3fc5b9316ff230f8da53b6dcf64fb31d8a3b51a6fa607517c5050905cc825e159517a26083474eac69fe864dc67655243
-
Filesize
12KB
MD5227fc4b4eaae3d04dc891f7ad2bd1694
SHA1462c74a115bd91d566e288f4126224c751c116f3
SHA25614d517a4b6c39ec085fab2cf7e345c65016701abc95f7eb4414f0f20627aecd2
SHA512d6cb6122bf37acec477b22b202a70796dcffeada40ef02c680c528182c2e885373832d27f99e338a40c7a0c908314212506b48ed7c9de99cc1b23f0130c93007
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741