crimsonrat | hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows/Binaries

Analysis

max time kernel
267s
max time network
268s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries

Score

10^/10

crimsonrat aspackv2 discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000745-391.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000000739-526.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 6 IoCs

pid	Process
5060	CrimsonRAT.exe
3740	dlrarhsiva.exe
1104	CookieClickerHack.exe
4856	CookieClickerHack.exe
5648	Launcher.exe
3380	Melting.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
70	raw.githubusercontent.com
71	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 568814.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 661642.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 608070.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 672364.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 536268.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
2316	msedge.exe
2316	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
5844	msedge.exe
5844	msedge.exe
5312	msedge.exe
5312	msedge.exe
5972	msedge.exe
5972	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe
5756	msedge.exe
5756	msedge.exe
180	msedge.exe
180	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	5152	taskmgr.exe
Token: SeSystemProfilePrivilege	5152	taskmgr.exe
Token: SeCreateGlobalPrivilege	5152	taskmgr.exe
Token: 33	5152	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5152	taskmgr.exe
Token: SeDebugPrivilege	2520	taskmgr.exe
Token: SeSystemProfilePrivilege	2520	taskmgr.exe
Token: SeCreateGlobalPrivilege	2520	taskmgr.exe
Token: 33	2520	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2520	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
5152	taskmgr.exe
2520	taskmgr.exe
2520	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4000	2316	msedge.exe	84
PID 2316 wrote to memory of 4000	2316	msedge.exe	84
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 1612	2316	msedge.exe	85
PID 2316 wrote to memory of 3280	2316	msedge.exe	86
PID 2316 wrote to memory of 3280	2316	msedge.exe	86
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87
PID 2316 wrote to memory of 2964	2316	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd790346f8,0x7ffd79034708,0x7ffd79034718
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,7087184308601412819,16933943291931578471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5960

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5060
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:3740

C:\Users\Admin\Downloads\CookieClickerHack.exe
"C:\Users\Admin\Downloads\CookieClickerHack.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5152

C:\Users\Admin\Downloads\CookieClickerHack.exe
"C:\Users\Admin\Downloads\CookieClickerHack.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2520

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5648

C:\Users\Admin\Downloads\Melting.exe
"C:\Users\Admin\Downloads\Melting.exe"
1⤵
- Executes dropped EXE
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bd030311559627e22d0fa943f0885fa9

SHA1
4d722132beb28afb901a67199aab875bc0a17d77

SHA256
8e632f8cd8d02642470bf4c3e910132af9a8b131794b71f2d7e4f092ee582701

SHA512
9e97eea7262a862e2c5efb5c75069081b65559ffc5046b8c2c403ac085866adf2642c2d6b001cfbf6262fe48091b271b228f101e95da94b046d60592dc8e0c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
75237b876e4ebf0cf587313ae92b7952

SHA1
ef712d6b1e678d091b39cd593b8d4a2a5520f139

SHA256
d7abd571a35eaba20a7c57d7ac93cbb59b8d4b417f4b67590ee1c29ff561442b

SHA512
0c96b1f590a69141018c2112e36de65fb30ab57320b4b76da3a672b23c716197fc06e0f381491975319a8ad4ae138660469d3149cfbb69be96a2cfdfcaf802b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0e6caac7afd2965c0e8a47bb4fdaaca

SHA1
4212e0d43219dd5a965e4f19cc4e38744586dfce

SHA256
514bd4c2013360b9f8aaeb5a7b281191d5bcf660dace8b18c0b5ec1b925e1b2d

SHA512
b4ab1985d88a3d2938ba7bc4e2651ec6a3cdb4e447d472948c15c947c708fd573d90b7ba8882bbcd09484076a89bb921d451d2b73f16e3dab8ba7d129248cdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65db8a38f4cd783715bb7cb09bb87161

SHA1
601327706a58cff57c69921db453a84b496be2b8

SHA256
a0beaa76f551778372dc8e0f4c64d4795974850b44b3f1e6c672134715ac40b8

SHA512
6e814d9b15dd0cd659481f4f3ce7a716d28063229f6e17e9b548d5d3404c8245eae0220b8ccb6531cb22bf4a360e901994371baa178c56492ca9e16db02e9944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91ede769df300015d94d7c310c91a51a

SHA1
e129830f8b046a0b76b4b765284f569b64c3f33e

SHA256
11934b602b869845ddae283c74dd57e6cdeacd86fe25259e08972d5f55f527dd

SHA512
0d7fc56c478a93b518aea7d81209f5dd2f1f54c320dde0d5c589a33790ed87e9f3eff3d547afcbc1633c7505343dc68226727c3fd73b2846d055d0aab4776fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
09cf4a0a5c9f1f58879a8d6b4793e79b

SHA1
fdebe2b400263d02d71cb3a512209592dd20b8df

SHA256
f1fd5c52ad5dae8d7228eca00027cf4f37c9cb076712cd6b89a1dc4c04164276

SHA512
a43242df5b5da4ab1d8ecd1c66552cee45bb2123c89ca04f040d5f271aa9adc67411fd44e78f236d7ccfb745eaaeadb925eed137e3b0e9f73e49b1903b519c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e41b95a7aedf0f9c594c8eaaeca0eee6

SHA1
848dc96d06f35418eef99ad2b7908d5fec90bf42

SHA256
4de0f9a15c84909130aff0a16e05c721bdbcf7ae94868ac2ca0b4bce3bc9f828

SHA512
4744c3d9194c331d7f9e9ff46a746b1e41f6ffbcbf2936d6b021c75a698d9460740336506cc6379af02cee9157e4f4ffd96b1b11e05160e220691d31c268a070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f2f6e97d99dc76294224ff7e848a2dc

SHA1
5804bf03ddf67b3ce6cf6d1c6bafe125852a9fc2

SHA256
f3fd22e84ec6f7a4be2577d07f5b3333cc923f9af4ceedabaeb834a6b9c093ca

SHA512
4405ef4d760d9d916df0e04040aa9b5877dd49725bbe523b9dc2407e02175657570eb60572aeecbf3e7f53f93f84b7faca79b69096498474b3457fa40c074c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a2fada20777d04645e7225339fbd55f

SHA1
c35fcaa085b9795e41b3a7c47af7f290890fd1ae

SHA256
e549622b000aee8c392934162e62c2c35f40eb8826880ea2d2d446db7ef03967

SHA512
89ca1fd2e9f6ac8ef2d8e9d1c6d3e7f3075078fa79cbdb773f39b569ea406105b70a9ce6146db1477b1cd66373fa6fb6598383154b617aad3040779d5671b85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02df885712b59c847904f55a18d6c86b

SHA1
446dd7ca5a2259ab6c06881aac0ed3d47cc3b8f7

SHA256
f18a288afeb9167a71c842dd2e181fcea8a643e8a8e33c8f4a3c7f657174992e

SHA512
0a083b39bce2da4180f10519c47f9eed0afc7b31ed56b9cb476960fdc6492fb5fbffc1aa9598830fab7d0e22a6cf50f56a87aaedc240c90c83d287ea780e55d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c0c2e6f7e88e57d1551545a4a3c058b

SHA1
f0f2ffb84d1f484e039d9a3b3a8e644506d368ef

SHA256
603acf30377d999f3b86f0b15ea7ee1a472f12c5f280de83cc22b0f8b2648186

SHA512
57ec4746fef682164240cc01cc2aa763ad6d311903c79f013a585bf7ecb19f03ec17d0c643337a970d970852432864c38c0e5c4abb9a9eaae1dc3b7ffe936c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
32bd39cd80e52999885a32826834d6e2

SHA1
83317d400f8d603c3a377514de65a09595684694

SHA256
c35b8d0391a01ad8201d0b955947165eabcc0d0f65977cc9b0552b0c4c36877d

SHA512
a1768d01fbba302b94adaa868bb97024411c46497f27529f61cbbb1a79ede0bcb73b4e4196680705152a8a836b903b2d18b6d1a00802799a3b8abd574324aa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
12589a2761af9461d8d90a0de1a25b82

SHA1
2836021dffeb0c576fcb6ed39a0cfe32016c758e

SHA256
94f4e278388b1ad95a8cd12d68bef2c69098a21541f47f4bcc87cfe7b56c2765

SHA512
22bc46622b9ae12bf50482433c0055a354efa39817b10073bb4a8ef0c43d20473a57654ec871c5bb58a5adb3de878fda648a53c415b1e568a83538801212c09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
be5bc8d03293c7988bf44db90f0ac26a

SHA1
548b63f8b4bfb56618427d01f3ebcb6ef1af9de9

SHA256
b8f4d37a62fd18ca00b99064d804bfdfe0f7de3b52d75aab1cddc2572241e85b

SHA512
bfe28b9815ef4f98c1edb856c2e01c4d5159bf52fac98a49cf9d6bf7b4b113d49bbf38d5448b36a43d48e95a9db2981bfb19ccadf04e944041ca03da2e6ad1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
23f1317d333d37366181d8fa381f63f9

SHA1
ff7026b5a7a002e1ccc51eb022ce8d71e9a6d910

SHA256
8553303544b6f65e9f659ec53a69ed6ae0f39c5b105256fba9f5080fd74d482d

SHA512
f97845fad643d205cd2a31667019248ef7cb0b26106220f04f7f848b0800871bf0c4775a8ea93eeac7811ec57beac74ddb50367f6ecaf9577c554b97eec2d425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe65.TMP

Filesize
874B

MD5
e8eb7e4b7fe6f3a157358e40eaffaf90

SHA1
b141dc2882dfdbda38f1930885104d6943689573

SHA256
e8888a8a20c6f274296fd9049409058206a2fd4f229ce04cfcf5bd08fb4eb134

SHA512
478876855b7de62bd64a414d8b53e26642d5837264cb21ceda58898035fd8335662b9bd266289038fbe378076005c4a10dadb442a987a9b666341abcb3b2fa77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fb6bbc050bccf765330646ff99d69f4

SHA1
49398d41d09835b3b1111658bea4e96264de51ec

SHA256
653537c8b4a7a3388c19b0ec510348230396415232e3eb80e8d73fd3f7937c2d

SHA512
a7fa482354273c4048be69aee428d7f3d6976b7bf5635b32a8666cae2a66c8e14cd38e392d4fc0bc46d88b9ecac9becf0afec55e2aae08699890e836ef0bddb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c92145833f10028f4c7337c7c2aaa7a

SHA1
3b55f4d811f02b3e92f63fce18886b491fc43731

SHA256
a151034be2ef734c25db7c312ed65d4f029be3b0cfabbcc62c825a208790b098

SHA512
daaa77251e2866965e90674ec8e73a4b86d37695af70d4b27148353800bc7610cb4416119e4b39d9c050d27157dced455df08c4bf0c3bc313c55ab1c78a45d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
073c374be4062bbb60cd8f119a85d538

SHA1
d1dc1d5629d16a74f5aff62a4781ff1a2d257fee

SHA256
9256a6baea5b005ddafac95443406af434bf4f52fcc08146cee7b775a813c771

SHA512
7964f877190973be930176d79e2ec2da191638003e15e56252c2ba020c3bfaea86c24cfcb4202fe000037211624fd346c5e1bb9036ef58fcc7831a1f7a60fbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
379ce561dd003001ef04359b80d7c261

SHA1
83a2a57a846e663473e78daa8bdcc75ea0c69936

SHA256
183c08428bf1686329781d8d6fe34cd7c7b1d1e55cb25ddf097258160d6e55a4

SHA512
6bb04c254aab9f8a7054c2bbb1edeed1ac94a981be744059556e4d4cb7aa8206f600a8d5bf9e526f4b4a636868c3c2f256c00d3ce7f1429f3522ca3f865f737c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ccb68240fc26401dc74702859199e93

SHA1
01911784f5d0ca0f7e80c94c38b907e2fa928ed9

SHA256
2d5e15f7a10fbd05647bcb60a7631d2dcc9469cf822178a68338e0883ef38b6b

SHA512
29a47aace5d35f870594f06eee91b1ab09cd9655fb64af3309dc8ca6a892a4193f7e88781812ae1867bd9da6aa91fd52bf51cb876326fa000c906ad42f9d0471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
84a1751cff3e6342dc2520b839c7d9d6

SHA1
46f2056f4ce7c5677c0d3b33fbf827c30f3979ef

SHA256
6de9ac099a61138ba7b954405741aab71bee99233690427dc0e03fc0130e1f2f

SHA512
6d68a1b3dde3a22d441995b9087ef1a4c4c6f27b5135a655598eff632868c991f61eefe97ba6712f147bbb31997e88a835e64c58ca5ed91202fa99e06d4c068d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
39f0c64654ad14fc72f0f7b3c667491b

SHA1
6360048de1c92c38b3b13f9b05e2d090872fc810

SHA256
0d1572267a003f840a497df1ed58aaf1e36551a14dee491454706c502e125f8a

SHA512
aa22fa9d7dd6c6857516a4992df3a3804d914fed69169f3d9891c529a54d67946b22179666996d9276a9fbed21214a5ab99b946ec826ec552df8bbddd907d293

Download Submit
C:\Users\Admin\Downloads\Melting.exe

Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 536268.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 568814.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 608070.crdownload

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 661642.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 672364.crdownload

Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
memory/1104-469-0x00000000017B0000-0x00000000017B8000-memory.dmp

Filesize
32KB

Download
memory/1104-470-0x000000001CC60000-0x000000001CCAC000-memory.dmp

Filesize
304KB

Download
memory/1104-468-0x000000001CB00000-0x000000001CB9C000-memory.dmp

Filesize
624KB

Download
memory/1104-467-0x000000001C500000-0x000000001C9CE000-memory.dmp

Filesize
4.8MB

Download
memory/1104-466-0x000000001BF60000-0x000000001C006000-memory.dmp

Filesize
664KB

Download
memory/2520-514-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-512-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-513-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-506-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-507-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-505-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-517-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-516-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/2520-515-0x00000241C8500000-0x00000241C8501000-memory.dmp

Filesize
4KB

Download
memory/3740-401-0x000001BB72030000-0x000001BB72944000-memory.dmp

Filesize
9.1MB

Download
memory/5060-359-0x000001C6B9950000-0x000001C6B996E000-memory.dmp

Filesize
120KB

Download
memory/5152-492-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-491-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-502-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-493-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-503-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-498-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-497-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-499-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-500-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5152-501-0x000001D93A9F0000-0x000001D93A9F1000-memory.dmp

Filesize
4KB

Download
memory/5648-572-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5648-573-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5648-574-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download