Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 14:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://12kbps.xyz/repo/vir
Resource
win10v2004-20240802-en
General
-
Target
http://12kbps.xyz/repo/vir
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023575-555.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Executes dropped EXE 20 IoCs
pid Process 4404 CrimsonRAT.exe 616 dlrarhsiva.exe 3048 CrimsonRAT.exe 4076 dlrarhsiva.exe 2548 CrimsonRAT.exe 1864 dlrarhsiva.exe 3584 CrimsonRAT.exe 5080 dlrarhsiva.exe 5100 CrimsonRAT.exe 4384 CrimsonRAT.exe 2128 dlrarhsiva.exe 4456 CrimsonRAT.exe 3120 dlrarhsiva.exe 2708 dlrarhsiva.exe 5092 CrimsonRAT.exe 4476 dlrarhsiva.exe 2564 CrimsonRAT.exe 2836 dlrarhsiva.exe 3984 CrimsonRAT.exe 1088 dlrarhsiva.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 119 raw.githubusercontent.com 118 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{B5CBDC47-5FA1-457B-9628-2845102D94F3} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 451775.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4156 msedge.exe 4156 msedge.exe 4836 msedge.exe 4836 msedge.exe 1916 identity_helper.exe 1916 identity_helper.exe 3352 msedge.exe 3352 msedge.exe 4084 msedge.exe 4084 msedge.exe 4396 msedge.exe 4396 msedge.exe 4396 msedge.exe 4396 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe 4836 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 3588 4836 msedge.exe 82 PID 4836 wrote to memory of 3588 4836 msedge.exe 82 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4272 4836 msedge.exe 83 PID 4836 wrote to memory of 4156 4836 msedge.exe 84 PID 4836 wrote to memory of 4156 4836 msedge.exe 84 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85 PID 4836 wrote to memory of 3540 4836 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://12kbps.xyz/repo/vir1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97ce046f8,0x7ff97ce04708,0x7ff97ce047182⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:82⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵PID:2516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3564 /prefetch:82⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:12⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4220 /prefetch:82⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4404 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:616
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3048 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:4076
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2548 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:1864
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:2120
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3584 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:5080
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5100 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2128
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4384 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:3120
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4456 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2708
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,15664628511729647545,16644077412184000064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6556 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3028
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1360
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5092 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:4476
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2564 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3984 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:1088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
1KB
MD52d2a235f1b0f4b608c5910673735494b
SHA123a63f6529bfdf917886ab8347092238db0423a0
SHA256c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884
SHA51210684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5cd3f1a07e7205e49e6b6b10b6c241c70
SHA177d728efc84c6327c73ca650dc91c66f50f528de
SHA256ea6e3976367a20ccc364a66972983d4396d124f2715bac2b0dbd49c26d80633e
SHA512288a3075398a1191a8a371fa30c8c6101a23967926d57d294be4f21f7f375f37b1c5ea278a5a2f6a87fafa5c5cdbd69853c69e934445acb880cc324e9b5e144e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5267ccc94c61e28bd32f5615d1654e6ce
SHA17bcf7943aacf9d8670f4a5a640f93f62d153dfb2
SHA25668bb5bec654d1272e42ed6ad8234ce17b280109c6f79d3fc93ee98e93f6b0cc2
SHA512482197d1b1a37d7e4b4960f2eab63a2ca6849ece7501302c3a551b6e585023928487c7dd4a425f29c45abc30ca28dd4afcd978d83ea67cb527567a209f4d95ca
-
Filesize
1KB
MD510308357b7fa08d13cfe33e77504f2a5
SHA1b7839649471e11b27b71c2a815a05455c60e69ec
SHA2562918a232fc913ca44f403c408fd636ee7568eb1da56ea7cdff06bfe7bf0bbdfa
SHA51269cdeacb8ce359beb1b1829cbb12acf3d75ddfc061ea768ee2f4269dfd10230b017fa5a7f01d8b0d033bf4bfea954cf5a345e9e05012e135598b406da97cf5ca
-
Filesize
1KB
MD533c7b251c23e4634cb643a4076a532d5
SHA1462931ffb9a15de0535340a70aacada88df7b096
SHA256f2357aec58690fe4676a5544af8aec2a0c8e9258f3b278bf8b3c9701d3728eba
SHA5123e0168517753737005e5dba64caf17ef2ba3c6bc4c929fc10991f35523f1c2d1af5f352c3a7f77a486f229078ce82dfe4ae4a174c68cc9098164d6e05777d9cb
-
Filesize
6KB
MD5d3b16cb87bf8d621da5399fb06bc661d
SHA1ba1130e2d6d2efae2acb372c7585971d5999a80f
SHA256b927e0df49e17de90a5eae2e7b53341e4f3c37ac6cc829a50f25186cfd1e8824
SHA512e696d8ac6c9832e456fa7cdc9bb26678025a85798b80132ee8e2a329c007a3450e1b119a5aaae8d8792106443ff042f6bcc9ebc0829d10ea186d1f3e0e56b85b
-
Filesize
8KB
MD5b4275aa9a703f3d5c662fe8df6629513
SHA1b83165f395d4c108e4c60c199c26dc0a3158547d
SHA2560365d5c3c5bdd8fc5fbbd42cfde0bcb9493925b302f602b8e45083e5c6726361
SHA512c70dabfbadfc5d5a33057069335504921f39b03495d1111ccf4404fde70385d504d0273f249703d061485ec545d0d76858daabd807cce25b4249d3f97f9c9db4
-
Filesize
7KB
MD5a1ebf4b86ab909fb1d20c6cb5cfe8916
SHA1d43dc0b945878f3419d94ea1f0e74ce4a9b54e36
SHA25686b4dc6dd47af45e0fe694dc804bac733d0f5bd3fc7d9beabee794abc987056b
SHA512ff2b11c73f8100ac2c75cca9245f29b01ce1de4fd911773de509530c1bb8a036bf3ab68351ff8d5fb8f47378b526dfae7273d564e35eff016164b170c3e9d987
-
Filesize
7KB
MD56f3cfeaf0849b6dc23751e71dfec1715
SHA1ad563bbb30fee50a7c327565ce2328c1d084ee78
SHA256b87533a086cbeebadb5d2731ff8170158c7f9fe52ee946de6baf9124821c4ff9
SHA5126f5fcd9d88d2cbc02359b1658117955cb59f9143ecd163112b9a34746bc17b5df764f648a8cd2bdffbfa0d04f46df67cc5b37cb5afa38302185cdfc271284d2c
-
Filesize
6KB
MD59274d44655accb2c46abbe66f5584eef
SHA18adb45ebc8eed2f7cf481993e3bd3e675bdd7324
SHA2565ce3f6dc27b94f8625bc886e09765aebbc42659bdaa34d86844b9e5016343fba
SHA512e4e8dfb12c529d9db53a57e083acf1036397ef820f84d917fbd5207e2322e78c20804f764f350d440945a90aa59db3cb019d091d667851df495fcf17cbb6d929
-
Filesize
7KB
MD5f6a76c8be38d8705ff1bf5d1f67b0da5
SHA1d71a1059825a8d96881e61aa6b6010272c8ccc10
SHA256f377c4b4d400bdd57cae808a0cffaa86704665935bd064fb9adb931fa35ce4cc
SHA5127bb13f2f25e0af37f1411881e8e65ece0f590dde0cb47eccbfc7d0d3cc0dbd2309ee21ff55e2caedc647df3e755cc06bb1061ea87e302ce2961b01da2d5bd18c
-
Filesize
1KB
MD5c470fc079542f8f1564a865cd8dc8c22
SHA13dc00f5e5c414a181cb611d8dd33af62f146ab80
SHA256c39a5af960bd8447fe82d8b218c0c0cce83984704e73dcb88de24a429849b15f
SHA51222f16f00e989995b5b4bec484653b27f23277f6b245c337b71428b783c3ed316c93b2a887801f799594432e9620f69b65a121bfbd551d45b1374098f9428740f
-
Filesize
1KB
MD55ffece0d9b5b089dee1a6777317bb57c
SHA1861d02e179f06c71c15db521c376f78d198c31d5
SHA2561e9d44bbd5449d6b9e70f0d3d24b529fcf1e750f0c7793de85dbbfdc0877ff78
SHA51200effde778c4eafed8ff17c2bcff2ceaf28686ea06724b0db8c8ecfecefacb0f9a4bf90e6cfb4ff7ef8308badfc40ad08054c96aa210b094bd76c91d53c4c7c3
-
Filesize
1KB
MD5b93b729c7c4ef0ed83bf09154ecdb726
SHA150448b639f151e9b1a67254eb0ffadb9dfb6894e
SHA256dbf166c40af5facfe4be1f7bba83156b89063743d9352571ad43cf51f009841c
SHA512188c3821955515508c57fc9ba69560d7663093de8b965b81651159beedac26ec3f301ee69705e32371e63cd347aa0dfcf96ba78a2a0975fc6c6aacc940d50b74
-
Filesize
1KB
MD58644c5d0421684f9b123b0e12ed9b0fe
SHA1cc3c2791696ed1d2d5637baab7200ad70d3ae5ce
SHA2566c77b009fab4341c826268904c009cec5c7a36c30e8e115ba2815fe1f08fdf82
SHA512913a4dc591163da1de34c473ea5b01c71dc0a186c1fd3157a56919fb8064fbe36200f25b6164707ccaff1512074e746a05641a3247eb1283881150468ca74ad2
-
Filesize
536B
MD5f4b03bc1bb5d6ae98f37fd46e95726d2
SHA1de256aeb1bfebde4397b23798f4eaa355a0218e0
SHA256a46b1f3094850135895daa6890f16fe5d73d97f7189a81f6dc4b9a71142c4605
SHA51290252c4328f5c3bdf2ca1be16b9d17fb11534efe6ac769210d16376c2da3c44f8d280015dd91b2a10a26ee816e47b749b9214296173f98cbcab0b80cd98d4927
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57cb94e6ddb9c56fa7cc269b1dca338f2
SHA1b434a9dfe89cb39f3b962b481796005dcc31fb8d
SHA256b6a3e2f83b05309fc0cd51c6e2a74a1b3178a33aa88d4760f331fa427c02f0e5
SHA512dac824e0020d1d313cd37b8de5f06e54e9d2ffdbc6f43d48a6b6491b501b286065147bac80d351a0527d9a1d162f80d9025384b7a815a19481ac609062543710
-
Filesize
10KB
MD586dd5d551abf1a93d31d19f85eaba247
SHA16ba6b9c14b852433b452b2d80bc889ad628bdd50
SHA256a5e5cfe2ff1f5862ff51c7f2a92f6a39ac4ed750f9dbf0c1c26240fb905a5eb0
SHA51255aa96b266b3b8af12234e62987060b8ca3266a4d5ecd9e9ae761cc1c23a8ae552d902ae50b41abde11134ba75b4e2d54977ac0c17bfb8531c29502f350cc61a
-
Filesize
11KB
MD54b3fe0225b4b4e1f87563e46df605bfd
SHA1c427c238b2f2c94550129c326a2f60ae4ac1af85
SHA2561cb9afef701abdefbbb5fc06b409f68f1b47885d674752ba706c01a4e69b286f
SHA512da7da049a8e75f09a3407635a48bba680ca9fc025e6cd5a5f08a5e831eba5951e73922925421226f859da8f9b5f197e94790abd213600b65ef009bfc56d94003
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741