crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT[.]exe

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT.exe

Score

10^/10

crimsonrat discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d3f-208.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 2 IoCs

pid	Process
1272	CrimsonRAT.exe
3520	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 509148.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
4928	msedge.exe
4928	msedge.exe
3256	identity_helper.exe
3256	identity_helper.exe
4328	msedge.exe
4328	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3740	4928	msedge.exe	84
PID 4928 wrote to memory of 3740	4928	msedge.exe	84
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 4520	4928	msedge.exe	85
PID 4928 wrote to memory of 3724	4928	msedge.exe	86
PID 4928 wrote to memory of 3724	4928	msedge.exe	86
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87
PID 4928 wrote to memory of 2424	4928	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd1c046f8,0x7fffd1c04708,0x7fffd1c04718
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1272
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16162588776855574765,13272782040430923240,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d5248dfe7e00849f4135060dd9181756

SHA1
66284211928ab349ffbf14a009439eccf95583b7

SHA256
cc96f0a27e6ac4d0e9a6a14d0699986107a88ffd09e2287a9af9702a706e7e5a

SHA512
b45b27b5f5766507342ac5b1ce103fa81d6dd7888fb689ee55da32361889f6696020d4d043c89a9d63aaaa4fb87acedc8c8b08e8d7f31bd7013fa10f6996d135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
11e26fe3c8a6be94b791ede5e2b41dfc

SHA1
7ed21248151998a7e6d0f33198403785711747a9

SHA256
4398ddfb7d3af77d5310995434bcc3ce9b4caf97161ba09b259f397a6c600fa2

SHA512
30c4b23fc4b271617c57c2f54f6b960d336b06a147608ef636027de85c96357e9f3ab74bad2f6d6695822e1d2c5ef016d2c295126e49479203011103c6564dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
898120fa44a84ca2783c483df70e4ea7

SHA1
86f69699e14fcedbf055ffe38b237c9a7d697793

SHA256
2fab37cfc89b1e73c44807a668771c5bf61f7f267e61a2751fdb26e89b705751

SHA512
f7e51e9b84f323e126e2ae062088c3e219cbab4badf977612df1589fde9a5f80069c7c6c11048bc141690fb64df3d7980dd3293e44440f959a19f965fc657835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdcc1381b591f495aeb3134a0e7d0926

SHA1
c6411b0f61f4c48305efad27de0ac8de10d84437

SHA256
9af61bb23325c2656dbc4a83df13ef214fc5e675256fbdb2ff35268d84c65f91

SHA512
b3e6a3bc087a91afceaa7e0114dac2e6b21cb4d7b40e67b1e6b13082f56fd1e188141399aec1866c6010c52bf8ed526a9d1ca13dfb79c7dcbedae79ac9a476d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
96216cc351ccfa4f777ceb9945f35903

SHA1
c3d624abb1a71d8c808cba3ad51d6b02a1670a1f

SHA256
96b32a57986082b2e346f1736382bb5735e301ca9b8fdc723414dca29c98b0bb

SHA512
64df45173f3889267f64678f502d1a650848c2b3dd4b4ca152485c90dd6cd52926f5e94e50ebcdd9b9e39cc02731a696218c1a25a4996b81e43fe69580f7ba42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff2c09e5cedaa713ecfea83feeb0fa75

SHA1
be69072a5e45d6859d5983848c2d106972e55aa9

SHA256
1af5f231043a5f1fecca97262bf7d342f44d7a93077b6ee4e3f3d23c06ec11f2

SHA512
24fadeeba85b73b2d031318153c0dd2ba8730f7ce07e512e58a9a93bc738643df37cfbad5922d301f857e4fc423e5dcf99925c2f5456f5bf9053a662d4f983dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
49c24ce75b2388e6c0f5c8c0ad193ad9

SHA1
d526b549f0d3c16b72159d0b854ae392782dcfe0

SHA256
0e4c82aaadcf0b8c3a1437b3c068e941ba6063930455cc4e8032248ccec16242

SHA512
701a0617dde3308cede5565acb6e98a29ce355be360c81c220e36826f1c05b1baa5a9ea9da9378d65cf6f9a90b834df6ee95516863e6e500e86e6f075f694a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68e81091bfbfe2ac5e478fb1791dff74

SHA1
959c5bccb3de4ce7e619fbc45f7d52eec837844a

SHA256
0400820219fa3bafb47b1dec45f94915384714afbfd2959c84a5e1d6ecc60bfd

SHA512
78069615b0fc779d935f98e0f12af6957d73f591660d0b3df0e91268122fa5a610d4a7ba4233d4e39681d6ed4efb609e892270559a83f43770481568930b8925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
18b559984d4403495317b5eff2a8c2fd

SHA1
caf2cedca5250a2d70063251710a3065b761ac1b

SHA256
992fbd990d2e0ad233364f6dd7f87a381134f08a2127d81d93f8900a374f3366

SHA512
7d280967138670ffc45626d428225b8dcf26f62436a4b0c3430201339514a848b7f5b48373e8b47b79e6276ef0b9dabfc75504b7995c0317c3926f9394df193e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58049f.TMP

Filesize
1KB

MD5
d900b6d818ae009fd9777f0172cdb3f6

SHA1
78d4a6d94a85ffdd0862865a0ccee319de0977ea

SHA256
0662f7e1cdf130a27d59d52e3890bf1d059a0cf6ab6f971ab67be3dd4ab4d20a

SHA512
45c773d64c5ff6b3cbfb529c2b41d08c1f6d553c5176ccdda3e45dcf62d7d7d34818a8d71fc777254d46f22c42e44712b3811433464048497652b179cd1bbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c0d884cb9949c52bf62afb18a2f69097

SHA1
962405c49d48e4b029d0a12c1e93699b9a407f4a

SHA256
332a41a0bdfb0c5bdebf2a26c148c994557b3c84bb6662fb9ec422c8072e9d38

SHA512
dc322ff70c597af002314c624a47c5defadb950d3e53ef577ef3edf1ed4010844b4d738217c55d7f05b41d741d3026c57f356a7a01712dc660b23456edf6c621

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 509148.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/1272-185-0x00000165E1DD0000-0x00000165E1DEE000-memory.dmp

Filesize
120KB

Download
memory/3520-217-0x0000019995600000-0x0000019995F14000-memory.dmp

Filesize
9.1MB

Download