crimsonrat | hxxps://at-t-inc-afb935[.]webflow[.]io/

Analysis

max time kernel
224s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://at-t-inc-afb935.webflow.io/

Score

10^/10

crimsonrat discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 24 IoCs

Processes:

CrimsonRAT.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exedlrarhsiva.exedlrarhsiva.exedlrarhsiva.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exe

pid	process
1664	CrimsonRAT.exe
4800	CrimsonRAT.exe
2580	dlrarhsiva.exe
2388	CrimsonRAT.exe
2440	CrimsonRAT.exe
996	CrimsonRAT.exe
736	dlrarhsiva.exe
856	CrimsonRAT.exe
2256	CrimsonRAT.exe
1620	dlrarhsiva.exe
4056	CrimsonRAT.exe
1280	dlrarhsiva.exe
2624	dlrarhsiva.exe
4836	dlrarhsiva.exe
4160	dlrarhsiva.exe
2396	dlrarhsiva.exe
1992	CrimsonRAT.exe
2072	dlrarhsiva.exe
3452	CrimsonRAT.exe
2388	dlrarhsiva.exe
2468	CrimsonRAT.exe
2052	dlrarhsiva.exe
2904	CrimsonRAT.exe
4520	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

141 raw.githubusercontent.com
142 raw.githubusercontent.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
141	raw.githubusercontent.com
142	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{69B28FA9-C463-4AF5-A181-251D36B3B244}	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 311389.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 311389.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
960	msedge.exe
960	msedge.exe
864	msedge.exe
864	msedge.exe
4920	identity_helper.exe
4920	identity_helper.exe
2976	msedge.exe
2976	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
3940	msedge.exe
1232	msedge.exe
1232	msedge.exe
4788	msedge.exe
4788	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe

pid	process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 864 wrote to memory of 3068	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3068	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 3256	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 960	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 960	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe
PID 864 wrote to memory of 1204	864	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://at-t-inc-afb935.webflow.io/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82b2d46f8,0x7ff82b2d4708,0x7ff82b2d4718
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,2653838520312648927,4500615210437823580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1664
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4800
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:736
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2388
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1620
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2440
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1280
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:996
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:856
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:4160
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2256
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:4836
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4056
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1680

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1992
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2072

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3452
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2388

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2468
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2052

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2904
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1a346660h2aa9h4640hb715ha1d8f5fe0af6
1⤵
PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff82b2d46f8,0x7ff82b2d4708,0x7ff82b2d4718
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11766417122376583622,7102944459793046602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11766417122376583622,7102944459793046602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11766417122376583622,7102944459793046602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:4248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault51800017hd75bh445dh9735h0f1a3cadc130
1⤵
PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff82b2d46f8,0x7ff82b2d4708,0x7ff82b2d4718
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16959418910290494592,12571509781612458944,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16959418910290494592,12571509781612458944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16959418910290494592,12571509781612458944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:4248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bcae9498ab3165c1a31358bb14ea267

SHA1
4fb295bf109b1f72a2f9df8aa83e274f9ff82518

SHA256
05b49bda72a05e487d2cb96053d3ae6265a435284fb68638cd7ac45b0407e20a

SHA512
4e5f07700e67ddd4a77d961b18c3da2480064b54573067acf4d7f1b1073e42d034b650029617ad3926865ef9a18aeeed6418a202ef166bd8268b091e91e514ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
8b9558c525784016ecf29b528168425c

SHA1
7073700f199b61e39e6386a66197697dc477d11b

SHA256
352529d209e8e79a19245ba25084e507cceda706f456056d4d9be09589223598

SHA512
6a5714dbda80782c2da2cbb8b908dc68242f1dae225985d1f479aa14419a2ce19b1e31e733fa8917569afc9c916dff6e741bfd921eb7476af4fc9dd5c7fb3546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a463c9e192363ee6d193b56c7cf027e2

SHA1
4094fd236cd2168e060a8facf3bec7cdcda34a6a

SHA256
3536629ea10f380a422679a3a1ae405cc07f9f1b64b34c0dc7ca43bf720fb5ff

SHA512
bf07205f65faa9ae6f24d10ad7a7579e4e623f8cac7a40dd55408cc54c958fcf2f93d0a515500a30a2dfda091e71eb8ca45cdf86d82a75d10bb705f521cacbd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b8371c18aa0447aa56826473d00b7f0e

SHA1
d00d5d9278f35a6b90e4f68eaa1a93d7b0353b01

SHA256
8016f53cd63c7c4eb82c80a0c7f5bfea1128f93181067fbaad8bd677816305da

SHA512
0645a6898bc369906c549c37fd9615825a355798e469155599a6c1ec7c7698ef226279cb5bcfde256bef11ef24ca2f48b7505f3d7a92d9ca52c6925ef70fbbb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
944B

MD5
f66667868eccbc3cb6cf8289e91a1e26

SHA1
c8a856347338bdd0b2b769278865c9544d1832f1

SHA256
70c2294bc0ac03e467fc4ad4b050230ec626baa74405eb02712c71653d987ed9

SHA512
904d628d6e8af61451ec3865f9e8cb9964e78159ba15c057b735e65ca87b2f073b53eccea9c0fa42263374efb9341dbf44e396e90405879dede236e40dcef1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ea48ec506eccc91646051617d9b9228c

SHA1
2797fab19a24b1a277d4d1594b81321603abc5ea

SHA256
2f58ca03be16988f6eaad665a1a2641ef84c362d72e46c1b6cc348e9b7bb39a0

SHA512
f865fad5154702cfa0eb092b08c8631f785c282b2c3f2f3b2f78f9f5d17005440b333d91e5bd480499d1b7f8c7b032e088c4779c0d5908a53541fe8f4d1c22d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5d98de9527716a853411b9f11a49a641

SHA1
2cdcacef78be39846c6e9ceac1b01e39a72db554

SHA256
19415d123f6e12b2dd006e38e10eb68855323b34e232e5a75f797be208183aa3

SHA512
68d8581f1da5279edc7d3d9add61f8908b48ce6318cb4f3b48a6dc0c1a15ad010e243caaa68ee5d6c4a6906c3e6d83cfe0f2a21d1c204a35f9c8a342c1d070b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d7f28378af8413996e1d9b57c4f0e98

SHA1
960e2e130d4343954cf4800c52078ae3c3328647

SHA256
1059be6ba6f461735874d17770b89cb50abf35dcb4f5bdf1f4f0bab7b812c11b

SHA512
45ba9699cd83b03522cba8a1284934de868dcd5c4c2ee36b870a07513490262e50ce1f4b75ef9153399c8e89532f214b9522a6d0656a90a5f23f81afe9aa8f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e67c305a6f33d064a5e079745d979a7a

SHA1
6eb8b49fb96250341c9b75ab94ed2b33c1a0bafa

SHA256
9e0e0771e654f0bea4b061b14691991ef2c78664d1ec3a9af0c8efe231dea5c3

SHA512
bb77712626261e3c9e405dddd7578bd2fee14dfbd765a3a4079c8ab63040b2b90db6c43efddc11860f7ee6a97f25ad6a6777daceb811c7860f3f19e20b4c4666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
585440a7599e79634d54f7f7efb7e818

SHA1
019bb332becf0acdf74d334f3bc904ddc78cecf8

SHA256
22d60f7b6e364bef7d73fc74b0a86f3f70d5430857d0a02f8ca39b4dc912e7a7

SHA512
cdef390739895ef2fb240621a18f3ef7eebf336f11b3abc90ed757d43476b1a291337e22e986dc8e8128850f58d83ccbad717327153c77382b3b45be5772dea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1c4b43b773f527960db1f9eee19f1c7f

SHA1
e395a126042e11ae875c8f5df6ff03bf117cf700

SHA256
82f92fcc81211830f2eca5f06d54f863c9e3a0c8bfe6e63d3150648bc8cf7009

SHA512
799b9083260dd3237511da75b7a6b23cbd9447adffe59d2fcfe1280e1604f1fc59ad6c8ae65e26c99c062b3c3bbb5e87c7522cddcc2f84df7a890abcd2a6766c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eabd1d37216176147162bacb3e08d677

SHA1
cc5a713a4f4775de6f0d406f570a112444ed09fb

SHA256
9b496832c1627d5279d558cfc8d997121b6e8fe57bf6875e8ece290edd27afa5

SHA512
6504847d8533c02a1d41db49ca181f153d52712c396fdb1fba5da6fba70ebf53a1116cc05fc6bc906a2541e6eac2beb12af9e2daf20c3fb309cdfbe55a6b6cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c52771c01c6fd9d0f0e9c2214628b1b3

SHA1
118ccd3f5a9734903fb2e02c224240c45c43e309

SHA256
a4a148352a3e72ec8d30a8b8562311e6342dbab43be5c08cc0923b11e8c1c068

SHA512
49da7b896b1e344f8be2a1a3c22428025e61cffa2bcf4d1010a22512c278e8cb81d4da004c5d443ab3f23edf7ada80f9fa85119c25aa7cbf1fac2442276186ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5186117eab3324f0472f1e751a92c0a7

SHA1
50cffcdc30ec3b24a71978d9d8a758b5676cd168

SHA256
963fb431692b1b9cb89d9ee0d4b33d6cdd437ec546cd8124cc3b638eb17348f5

SHA512
92d79f917448686c8a0d6875ab54aef8067147b4775e823fba3f2dc91757863af97b28cbc2889a725c61da47fbce7ae1b49fdf8b6a507764ddd4ad635b15a598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5a01a93fa9125ad6604d01c70b56d2f

SHA1
53a427a8438de57094495a83c48f4e24ba00fd2f

SHA256
13f102a23e7b8ec576bb9a0378c6616ca6beefa56d69d713d108088a84ce658a

SHA512
0579550d026568ec670020f076ff470b8a504f3eb7453f32e6eb89309f854e8fd976253280820ecb80626b1800241019a54fdaf61a2ba896355ca0995d1edae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
ab0ef70c7da6e843016b620900853153

SHA1
a70d5078bd8f385a15695eca073c51bc183a106e

SHA256
743b61f36930a3403ed4853e4ec3ba39be4567a134b2dcd9a773bdde8ac6843d

SHA512
d302491b4d2ea07b7fe9f6003505c313057ff08769f31cb56ad934ba48a0a6bd378bb7b979dad7b3bbb4fe187df535ff5eac2d0a49fecd09087d63b173e0cde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4fc2cb27c16c50d5cf0179ba44ac8e4d

SHA1
df379f93805b90288be64979da9487736656bd44

SHA256
f4b530202c3dc7a72ea9f32b8e1cf14ce71394fcdfc4b02439bf70c12b0305e5

SHA512
f9e68787256e85e70f1b92ea95d5085fef2caf564c0266dffc10cc2fed94003a91a427250ae9748d7650ca86a2998cab8d9ac1567e8fcef0ea4ab26c484c68c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d83c810e026b85293d78dd1aa66124c6

SHA1
0c9851fd16a6d51a8db894763518a36892fda868

SHA256
df3f0ab43bbf49020a596cda03e2b530222f1292a40d3d26997a533e61971e57

SHA512
f9b1d0d1a3210a4457ce1090c64b3a41532028b6bf542ffe4e95647a7c530a507b6a93f36d71c4a75ebfd9c8c0ba4cb0ea4fc960ad191c7c7e0433f0acc730c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acde36e7bef07aa163fe8f28743c9932

SHA1
5d8656f7d6d2c62953eae0db409bf6dc01055ab8

SHA256
ecfad68eade3c0bb3283a91656a5749a9b61829a7ace3746b132f29ebb99427b

SHA512
ae42af1bf916ff0e3f102a03029daaf321c3a4b2a7034439129b93b7907f79222d405d4dc7f614174812148e3f4b707129190049c86bb2c7e3c230d6b4f281d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d404.TMP

Filesize
204B

MD5
34db7e37fd83a81014d6df150a3d82aa

SHA1
7861907441ff3c8de28f75a29f7bf482e351ed92

SHA256
5da2b6ffa47e87810e6c9db51dcacdfc5a946daafebd57023e3e29950eaee17d

SHA512
acebd3728a7900cbb20f554e853b86e5fd270f3aef7791d92c3b81e028470b5fc652f6512ea78445d7158b96256e52e15c6d84b4bcd10da0024880e68520f8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c980e27b-d269-42a7-811a-4c7d8416049e.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ff296a90-36cf-4b23-8603-164b7a2c52a2.tmp

Filesize
6KB

MD5
4cbe7f1fa7184af0105f2c0288889daf

SHA1
3a6c5cd53b302776ed3274fd5982b8570318f62b

SHA256
1d2dddd71a15ae69c40dd42ad0792aefec9458ab74dc560caa18a5a082b415fc

SHA512
bf9f6d0a840795d6ff54b541c864fbc73fea79d11e82030d0e5f5f48c0f0331db4d57c4bc322c6dca2503059ac78e007a890ec4153d336f5a80f1ba6e936f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8bef80028bc34b135619df3bde46753a

SHA1
0dd147323cdb9dce4c3a8fbacc4803dc3a04f526

SHA256
a25b155dd1133b58a615133cdd06c5ab32a0fd30a92483740e3c15cb9a8f9b95

SHA512
02a1a309c73f5a62f8a5ed2205baec49ce373d3768339a60f9289ff7f3da3e389cfc97d2b4908e3197d6442d67f624ae4d808b16ceebeaff2063245a0546f460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5354e7b0d91e6227be8877e746e0beb1

SHA1
c78b4d6c97badd5c356498e317543cd4b48af56a

SHA256
5645d1f3acf70282c58c2a1c9fa26c141d54405c19ca084257563afa28b74008

SHA512
f389a54b1dd9e9b01e9bdb39167b63526a10025d87c9f63375198a4065efe209411756f18e85c7e376b977b3812a6c879b3d8d49394310464c38ce3b631c9bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b91c6ac848cf0186f3635154d271be5d

SHA1
bdd984fb011c0ffdc94206c6b07d0c194654ee46

SHA256
a52682c00d299241639bb1f1f8ae969b5302a2c073a744789684fbcbd5042599

SHA512
295658de4eea6da324b21e49bd779eafc5f3f7ce7a1af8763f0f42f181b32950ed82597668ddf2fe350ea34b9dede1afbbc2ea7b3ef26574ce6243b7054a7d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
d1e675d43f504431df51034ddb0804bb

SHA1
48c2142ea5c09efb3182fc4fbe946ee9ebc0d1c7

SHA256
74ce824f06f9ab259f20bc1dd882cb8d877332f5e0843887892465d4bc1e4ca6

SHA512
88f2ae5fd34ba3f1b9ae1c34d82c0b7cccee4dbc3bfc23f5e9afacf9d24707ac2bd63e6110984a917c0169097fb3179cc15d338270a294b0c31b240747bc63e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 311389.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
\??\pipe\LOCAL\crashpad_864_SKKHUAQQLOGXFNOM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1664-701-0x0000020AE3470000-0x0000020AE348E000-memory.dmp

Filesize
120KB

Download
memory/2580-734-0x000002A06F640000-0x000002A06FF54000-memory.dmp

Filesize
9.1MB

Download