crimsonrat | hxxp://poki[.]com

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://poki.com

Score

10^/10

crimsonrat defense_evasion discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

CrimsonRAT.exeCrimsonRAT.exe

pid process

856 CrimsonRAT.exe
5164 CrimsonRAT.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
68 raw.githubusercontent.com
72 raw.githubusercontent.com
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
856	CrimsonRAT.exe
5164	CrimsonRAT.exe

flow	ioc
2	raw.githubusercontent.com
68	raw.githubusercontent.com
72	raw.githubusercontent.com

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758266282488779"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	chrome.exe

NTFS ADS 3 IoCs

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\smb-37n0gip7.7z:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exechrome.exemsedge.exechrome.exe

pid	process
1372	msedge.exe
1372	msedge.exe
548	msedge.exe
548	msedge.exe
2576	msedge.exe
2576	msedge.exe
2092	identity_helper.exe
2092	identity_helper.exe
2060	chrome.exe
2060	chrome.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
6088	chrome.exe
6088	chrome.exe
6088	chrome.exe
6088	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exechrome.exe

pid	process
548	msedge.exe
548	msedge.exe
548	msedge.exe
2060	chrome.exe
2060	chrome.exe
548	msedge.exe
548	msedge.exe
2060	chrome.exe
548	msedge.exe
548	msedge.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe
Token: SeShutdownPrivilege	2060	chrome.exe
Token: SeCreatePagefilePrivilege	2060	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exechrome.exe

pid	process
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe
2060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 548 wrote to memory of 4564	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 4564	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1324	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1372	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 1372	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe
PID 548 wrote to memory of 3152	548	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://poki.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ff881953cb8,0x7ff881953cc8,0x7ff881953cd8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,9605151596998091587,16214172976815257396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff86f43cc40,0x7ff86f43cc4c,0x7ff86f43cc58
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1668,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1984 /prefetch:3
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4628,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5136,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5288 /prefetch:2
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4956,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3160,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - NTFS ADS
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3092,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1184 /prefetch:8
  2⤵
  - NTFS ADS
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3280,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3068,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5804,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5756,i,2076806636262711629,8932002434274449929,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6088
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:856
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:3412

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5536

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Executes dropped EXE
PID:5164
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\73b1db3c-a6c0-4860-baf9-540f66314808.tmp

Filesize
10KB

MD5
17e407eec46ddd9a92ce1c7f0e5801dd

SHA1
904461751e5f86d93649ad6f231872da0f2e8800

SHA256
a8460aedba14e17ba5313ef8f30323bb4a5a2c3ca200df8e833d9b3351d9fbe7

SHA512
f45082e49298768ff098e8a44fed08c85069de32ad24fdf1ce860a6b11dabe123d774e99f6b1c4efa91f9d3f958fba0ae4a923a4a180140643e72e7430d5ecc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9afbf4ed-2f42-486d-a394-7c191234b1c4.tmp

Filesize
10KB

MD5
e605d2226ac9709a5ae49dc3b994c238

SHA1
6b2036e27f594f076abed89e553e718bd08bba72

SHA256
94253968e97973439df50e9cf0bc44067a5518d624c822c4f46fdaf4236d15b3

SHA512
67edbb67e3ca689b18f6b58f8347431458b944300f8cfdf25b674a9dcc1e053c69012614b2d487fe3ac359ea7f294390f7a4a2462ffc97dc17c2138ea6728170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8382dbdeb5798f8c33bb39e8e1bd3dc7

SHA1
1442900e391455784fd852ee5b9b82e6c8471f4e

SHA256
1cf9ee5907b5b037d7aa2b415c17931219061e295939d8561c3c230b7ef41d6d

SHA512
560d3f7b2d640dd13e0676a21c3b1537565acd1ec3bf7c68e5c26f94d288e023a53c187743fa7dca9675d3f083f9efad691aa4c9c1350f0c2d0fc78e4b8676f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e92c779b64e4058e1d041d6f7ac02207

SHA1
cd65ad176cdf18f1bf5c9212b7addd71789364c7

SHA256
52af981a0fe79ee9e5cf6b0cdf751c1ec5cb49e1257c9f9720e822e3cc989097

SHA512
60ebc9e051e014820aecdf733891f18d23fef36d00feb8ff3be31c40ab270f721efaf9b335d8577f141a53514886ece286a2676bd7200ebb55bda1b287a88f55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f47e06d8a58b417b987401768d787228

SHA1
8df71eda84fe0a1a8d8b1531d196023bf37045cc

SHA256
d52028a704aea831571cf4bad223abf699d3a1bbbdf7a18c161d835c91f61efd

SHA512
2def7a7dc176e649233602b01cff057b78a0d9ada82c7115c7eb1dc9026c42a05871eecefde8c39610067c357e40dd1601c3aafedda3296db99a6490e197f048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e791fd123ff252f29232e23774124a02

SHA1
32b1bbc9297306e1c3f02b57f778e37c08be89be

SHA256
a5e36782828f048e6aade9ea72ca6847e5dec72c69ab18676308e108ccb87e4f

SHA512
058c313568a2f03614c6ff1328f34a271db6e30a5b69a9a943a37965e0df8fe97ecffe846d3fefaebe9e32f54cb5de29de6a07ad471b6d3b068197a0f0daf60b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1dddece1808f442e3277748cd4e82bc9

SHA1
23509a6174112f9a1f0bd41dc03093b98f7dd4ee

SHA256
bcd55a0306335dcd786baa85277b46dca21e7e3205a156ded22a6c65331f354d

SHA512
122c80c8f3ba538d9000f40c519ec63f0efbd40659e3c4d7276c81d946f5bb190d25c636f0602fac486e26cdaf55206b6858f0637744555f408b01d02776a0e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
566fb9e1c0874cb87ff2a682ae044ce6

SHA1
9c619cf05aca7ba49abafa280977701ef9a0e59f

SHA256
ff919553d98b4b527d027c25cdeefdd1fc43e36d60b57c0418150d9877ceafa8

SHA512
beb5b8ccf54e1611cccac9533752aca1b0c9bcc8e643adc253f8c386ffb6397080b81c1a08059e52922f99a6212e6be8427fc215e27f8ee75b63c0edbc7f65cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9260755284a94aa4acb1c38f010c977d

SHA1
43854cd4920698ba11fef478be4604dbdca0fab2

SHA256
f4f99268f50b5bfa4746a48b709e6e6896f735934042fa42dc2bec5371b3c056

SHA512
a772f054023384e1f98f2930b5d84de172ef5d14742bbde2001c7756333bf8fe49486c4e883a2d3045638df86533f1c2d863526c047a4af07f970cd274e1f47c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
20261be977b7e2cc8c2b4bc13e672834

SHA1
82e392921d2c457837e4157c29202e15663f09bc

SHA256
d5c6ef4c134cbfac503bc35af5e6a4f4f2b8bb5f1c573475a1556bba84878ac6

SHA512
3e42c74f6519ff91fa1c2a991e8a1c333d6ce33f200f0dbbb6a53ee7cd69bbc879f2699aad00e819597d8c497130dfea177a36ce132bf7090b347274cc9b0a65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ad1613cc47977195b89f056bd7d09741

SHA1
12394acf1cb43c60b4da8112ef12aa9e651af95a

SHA256
0b1192acbc6d4c7b6ccd9fa328d124bd7de01089c428ac1cba70323da03db9bb

SHA512
6e57d357f4577ae66cbdac17f8c03e4b96397ba94041af90fd0beb8562f1956e5e12c3ad6bc515436e20b3fe430dc70af24259d058b23aa283de7870f67cbced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ab80290431f0bb8dcbd6619aad310b08

SHA1
e9b5f17fc1227a70025dfa2fa2409bdda85f5810

SHA256
c362db511b2471b30c9855b00a12c9132b5b7753b44c278cd94d09be50d9d664

SHA512
435c3cb4d0c4d633103edfb3ff77eed92dd3f64f3bab9c17362abdbcc06263aaf7c707b8089769556be6cfcb5f011d4299cbdb43a0c91ad5872220cc6fb0986c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4a62e14b2c440064f5039b8fd395494c

SHA1
f3feedb44bf26bd36673a1257c8c66a9fa4a9bb4

SHA256
ba90b73b205ee91f35cdbb074903ca13d3ceed283e3d0f199ea297e34d2ba184

SHA512
a8d4de32ee8dca12dd27a5402fa180e22c0329469dc293ea3b208ce958752970dc07d1a61a870fdaaa68f17e7bdc543163c5ca388a3975d32498272b081aa073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c0cb13bcdb9a72413b4b624df47ae411

SHA1
3f491d9b9f9703718bde4f729ae916d9316c2dca

SHA256
33fba204a84b8c37d348f632fb7b441a7f02834e315f94e95bb0f41d96dfbaf2

SHA512
d68dc68d9a753eff55fc31c2673e205d652ab4c50aef21ec1a8bf8ba8a60d3c81ebb1f466219eff4cc83c07cbdf85ad042f027c24468e7afce73b1bd802a1084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
61c0583d95f2290d90aafc248925fc62

SHA1
510bb24277377e636cd116b5e372f02e8a9c7891

SHA256
c473097a9dae349aedf300fe0349920e68f02fc0835b1e08b3e4a25efd07790a

SHA512
bd32b24dd69ca70a8adb75b5b21b51c6a9f02d9ef0476286645e522e7c8eb20db631aed88a22b1467240ea18eec67e790dc3f5794b56fe6a5f636001f39751a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54af8523ef56469f0e6df8c73d27e2f9

SHA1
3e7e638facdbf452b8e060497b3a487bb14c12e9

SHA256
5f786d4291669ec9ee8a6b869f207123306fda7ea89e2d7f36bc14aad21c24cc

SHA512
d0721214120216915f94dcfffcade5b7f6b972570c060380904ecfe4c0a3d4788f3ea1c82dfbd040c5845dbb9f749be553ab028c8b27ce224fe72e4707d0f9a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4b814994229af6570fe3dfbe84e6f071

SHA1
d083e2a527b5f42716be38fb1ebf000f28d03a79

SHA256
0c05cc64858cbbc5978f5f434142bc90e87cc486f4f89ba20bb71d9477aff262

SHA512
4db1a1e11419a8763d9f43da6cf66c8d9126aec7da2450ca383ba6255c728c83f3a99b45a6052bf9ada0ba431f7e7bbdd04278d2c97cb7822fe659f6aea3ece5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d560acce9aca0f9426bcbb288e6f84d0

SHA1
92585a841fcec924c8fa5e3d0818fad780edc2df

SHA256
04467f8997759c8363c6b9ff3f6d2076bf12f016858b8008ee037392457f9ef6

SHA512
339520e3c7060254ba99b9f93419605dd296349411b6d7b20ca0d8f77d1f509c0b1fb6fdd7414de973968875ab07ee40526c93e0d510d44ed4bf2acbd6624e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fa0169404ea056ee9df33d4e634da17c

SHA1
d328be4e38e8025992e6fd3763dbf83faf2b9a66

SHA256
fc3848aff37b06338180dc6405fe06fd76c4fb6d66b28ae53b11ec2abb7660e7

SHA512
e704cfdd80ac259d92da48e8d48fc306eae60b0036fa2cbbd5474cd167e3c9f0af4f305d2d6c3d24cca5c599f12fc0c67202cba8852377cc09e9b306d3ee696a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c187a52f334b3c92922f57a292b3c03e

SHA1
2345b35e8bb36262e4106dd664b5aba553772a96

SHA256
90c5eddc10844954d48982ff52c69ed388ba9eb9cfac007d55de43abd17c7dbd

SHA512
49fffaff1f9656ea7ad19e4241d263f067868e9e53491057f3cfd0df00844a242aad0517b008acdb0f63c70db0efa2eadfc1d375333d10fdb4926ba6962efae1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ceaef915983fd45f7d62e5bde1d91bb6

SHA1
e45241cbd93b5082a1b13d57513f6ebb4cbbf682

SHA256
f563c7a09640bbd5ed64a53abde638232d024f63fdcc1b629a0402c29170cba1

SHA512
5df94216a884d2a83a3c76c5e3cb39781448d72a89d1cafe121f50f8c3467e2d60ba1dc188e266ce2680a626d3b4df1a45f5a703842509ad031c94e788097cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b7b7646fd0657122d4afdf52cacf06b0

SHA1
5aa18cd81d8b8c2fef326c3a077692d932f23254

SHA256
821a03c4804d5818d24b266135b3d956e076d69d1c890833c3659de371c31166

SHA512
8afe06028d8659a9dcd1300a5955b5ad91c102ba77a18f1a08e76836e03ef6812c29f6e67a8045a2a928a370ee041d2b02d8fdbaddbb43194759c717cd3b5c63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
2e590bc788bb94edaf3f4efbba4bb56a

SHA1
453eb3900540969001e536029fb04a7ee3a98d40

SHA256
9d75faa765c49a999c485c136aafe5f82e31c77ed04912de64f2dedd8771bb4a

SHA512
0af7697bd9d078ceada25723030ac67f33696e257f06216fe452a4bf1b4946fd9c15b0875c8582f620c81ccc1f3c6a12b2aea510009c7b668b24b200cc78b69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
004e89491923c81fa9a87743d9a7cde8

SHA1
d267e70ae3bc5cd949c651771a790e1c60b067ee

SHA256
a94965579278461e545d7377c41186ef71061283c5b03eb86b6477d14f0c5fb2

SHA512
ba5b795e5ae80af0109c9729831b01d883dd7eea0d1f8416f548d07d83cd7bfee447a8115871ac9a726b74051bce20071c480fe68f9fe4c887c325b06e8006d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
569B

MD5
cd70945163b37f07bc9bd6019ecf3a51

SHA1
b31ecb9e8a5d09ff6633de3c8978a8a22440810d

SHA256
68e52bac88ccfaa4caa5edfffe8fb81a1988265e5bdc55f156bc7df2b4cbf796

SHA512
5e6d438028e143418cbc2c9916a17aa90a09d0858bd53ef640fbc8bae7e0a63c9bba354dafe9cd43c81b4ff286b873d3698b2485d0c92529a080f428de4bac46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
600B

MD5
904c8f6d5a4aca38dcb74fd3b4c6da42

SHA1
af7d896257664ff296f5a79a436799335042f129

SHA256
6bbf65793d134398edf3bfedc4a1be175db7261326d7db1e121944c049427794

SHA512
a498bf34c9e2e079b14a330be00468cea7059afd4bcc5efd0c3c6682a9f34222ba8e6bc3acf8924b45d5f44abd3568357607714deeefb52cad80eed36344fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73795939b486bd3f00d9c25bbf45b08a

SHA1
a606d2d39ddf3bfc19ae57f88ab73bae84d90e2e

SHA256
955158629ba56bca75e0f21e743c14d56730f239a842196b493f6f9f11ab9357

SHA512
9eed78740fd12bfb92371b1eb3a56811b0274e74c4d6a4f06f5798d674a5afb20320ab697fc741675d59ae925991471df5dfcb06483b5235c8339c8ba661de6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c57bc61154b545ebcfa0cfc3d3e8903

SHA1
ee41d6d68d8008231dee7261d30d80baf29a6ec1

SHA256
3bb6a9973d9fc6ff7c94c92556dbfee5f1f7cf6b63446ec7e4776f26f7514d6a

SHA512
86150d7c85610312fb78d71b25381becd75ef04f3f2bae710785f3209ea947d8b0cd55eedbad1c41ab02a6a86343aab26574b8f6e1fec100f96d318f7e8927d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
813e29e2440b038b06f155d053c6eb57

SHA1
a50fff779d5f96c8b90a8c4a94f24b3ae52adf11

SHA256
0a84928961223211e0db796e195422c2368ba2ad4ed163b4299dad05e3501b75

SHA512
8549a198acf19c15a2cbeed80a594c7c4f27025b2e4960ad60dfec242573682dbdc78f3748e398a33cae309cfaf3af501bbc7e92c0d9dffd182801bf5922355f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bb46ef3aff673b524c5be1d6141225d8

SHA1
c44bead603dbaea1f8cd33a7e1f7587638277e34

SHA256
62aaf855bf9ad6477c0b6c8692cb1502ecdfdd64b93a91548ecc28c49f9cc3aa

SHA512
d95c8318278910452b8f83ec1f45e2a032f3927a5611061d75e17df1a857f43aaa47240ff2abee7b81273c2863a5e118f1221e837265d2e1ee694c9d511fdba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8ca993b-60cf-4823-8d25-cf98d0a50978.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1712591966\0bb47610-20a6-4009-ac61-49da7eaa45dd.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1712591966\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30.zip.crdownload

Filesize
4.7MB

MD5
5cd92c0bf1c10da824e6bf3bbd0fb27b

SHA1
a9e94b711e7a3f684f404ce8e3cfb2f9c43dfe67

SHA256
66dcdc7e16a2ab92f41580667c5a7e9c8b22da293290fd198cfb2aa004292cba

SHA512
1f3c2ddf1c85f2c713e084e0253c114362a95c53ce39bc8d5e7ffe849c7ef82fff3ade9b35d7c6880c6a994432235a588ca8027d5019b93599e4ff4f9540b704

Download Submit
C:\Users\Admin\Downloads\cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\smb-37n0gip7.7z

Filesize
26KB

MD5
856f7d5760486decc69dfd962dcb4839

SHA1
8bf8b2b4609d1935c91044da3c54a75ff7416d76

SHA256
ca7cb2bd87b622738cd898710d69bfd79e3b7602f3395e9f2c72f9ea49b15cb5

SHA512
69b0c15f2cddd5eda8b113154bdb4b5ec510ff1bc157e251e3a94051b8ced9265770070ddef652415255ed2c897c29e8b904126ed579c2b2a81fe289ebbaaf73

Download Submit
C:\Users\Admin\Downloads\smb-37n0gip7.7z:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\LOCAL\crashpad_548_PYBHOSQVSWKWKGIF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3412-1053-0x000001AA27AA0000-0x000001AA283B4000-memory.dmp

Filesize
9.1MB

Download
memory/5164-1086-0x000001DCAC000000-0x000001DCAC01E000-memory.dmp

Filesize
120KB

Download