crimsonrat | hxxps://www[.]google[.]com

Analysis

max time kernel
207s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-12-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com

Score

10^/10

crimsonrat defense_evasion discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000069f-490.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1664	CrimsonRAT (1).exe
2112	dlrarhsiva.exe
1748	CrimsonRAT (1).exe
2980	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
3	raw.githubusercontent.com
48	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 298650.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 997526.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 439435.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT (1).exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
2764	msedge.exe
2764	msedge.exe
4692	msedge.exe
4692	msedge.exe
3832	identity_helper.exe
3832	identity_helper.exe
2600	msedge.exe
2600	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3508	2764	msedge.exe	78
PID 2764 wrote to memory of 3508	2764	msedge.exe	78
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 2816	2764	msedge.exe	79
PID 2764 wrote to memory of 3920	2764	msedge.exe	80
PID 2764 wrote to memory of 3920	2764	msedge.exe	80
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81
PID 2764 wrote to memory of 2340	2764	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7fff70b83cb8,0x7fff70b83cc8,0x7fff70b83cd8
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6484 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6756 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1640 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Users\Admin\Downloads\CrimsonRAT (1).exe
  "C:\Users\Admin\Downloads\CrimsonRAT (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1664
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2112
- C:\Users\Admin\Downloads\CrimsonRAT (1).exe
  "C:\Users\Admin\Downloads\CrimsonRAT (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1748
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17106303581799735722,18428360435921704458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT (1).exe.log

Filesize
1KB

MD5
8e0f23092b7a620dc2f45b4a9a596029

SHA1
58cc7c47602c73529e91ff9db3c74ff05459e4ea

SHA256
58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034

SHA512
be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2af539b9-f266-4b0f-b399-690d6903c775.tmp

Filesize
7KB

MD5
459710cdf18249697aab8be1fd3251c2

SHA1
2b43ff4f9e8b19f9a2f05a23ae3cb47ac6753547

SHA256
b6cf951777f7b5523342d190e20fb18d2550642ba54c25c167528b5caa8123cb

SHA512
821d01c6ce3254ea7d61af8284b5418132d2307c23648e8ccf350ecf3453343c98bb62cd7cd83e676724c054f6734c02d7dc69118bdbabafde4251ee666b80a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
47KB

MD5
9f96d459817e54de2e5c9733a9bbb010

SHA1
afbadc759b65670865c10b31b34ca3c3e000cd31

SHA256
51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609

SHA512
aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
25KB

MD5
e98f77c695876f1fb5be900b7746f30d

SHA1
d68be5c834fc18f8d1c2dc6131fc56dbe5d2e3eb

SHA256
70e3bde20af4c0241b47fe708e77c612b75eed67692179114c24fedcbd35e833

SHA512
dcfb3868b21dd8e177da9c92d042844b45e89902e4284fa582f10fb414253f0b7902f430a593ab936563eabc64aaf29fe6e2a7bd64d720f08f26ef9a3669b430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0720badf6795a0b6_0

Filesize
3KB

MD5
22de36ec711335614d0de22b0c306c3a

SHA1
3458d756e94dec1203c3f14e79a69b4b9b7f5ba6

SHA256
73bd66adda240ed1d9b68402b3959c5f42d4ac69c1037396c37e808a52a5d56d

SHA512
e6ad54a4d585724c8ed099b370304f6bd3f729dea05f1f6af0a055f8cf8bd684ca2a7b4a63da05a778b54554ec7b2c6301e48b48c1b62a232c83bc7e78a4bcdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
89d21593dfed8e38115227872e948745

SHA1
3ad0d13015b51824cdc74565ca9dcbdfd3843066

SHA256
c1d62ddafbf278492e9d3dfc69f68b8dbd0cbd932ff9ebd9a2d39b984f3d3365

SHA512
ba532516794a96e493cc645551f16c3fc2d1ea8b2c05ddd5ba245e2cdfe623714fd9bcf11b51eaa308e90ed5f4c5dc37e41959f00efb88ff03b3dea442b2436a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
9KB

MD5
77679519ea04bcff78638e3142fecb41

SHA1
89190dc215f6fc292742fb668a3a45ed03444c50

SHA256
1d3ded849d791070382a6462c4531d02313049ff818d05209b9f2a6bea0a1108

SHA512
39113b96a00a36ad76f3d626eb063979c70a52efb38073a356a96ac38a0cfadd4f9d30ed913351355518d10e9d2caf998b24d9875a17ee12442b1f424aa38281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7d07dc3a67fdc3b2_0

Filesize
8KB

MD5
f258876922d18a0f85c24fb67298121f

SHA1
97e7bcd5752ce4d942e2c4e964189e0c1ae30f53

SHA256
0c9246e5a35a09c3e604ca495ada458b447088ef1ef7f38150a9c97a44fd7cda

SHA512
1e2215e14db14e06de35778a9feb8457307db7228efd0262adea2e3b9d303f7f831ea09936789e54a25a11d87102840b34aab2fe1630fc3f50dd1b49213ccb81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
4dc19f7e9d7beb291c52bbede73efa56

SHA1
2c834410f57665ccda75f9b9bf4016980088dd5c

SHA256
08e218b33c01a0fa1353be6e3920f212bfed7a272c6e30046e3c564f434e64e6

SHA512
f395cbd627eab39805d568174aa13370af01bc87126c8941bb29d42c96e1b8d484dd8e203d28a0e11fe2e51bd6925da1de7e994d549d3b5055ce6dac52b4315a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b3e82669a81c981d_0

Filesize
2KB

MD5
5935bc9a7f3668309fd000373172ca3b

SHA1
19ac1fd552ca252905d5ca3ed897c1522959f309

SHA256
4215f5c22572cf24b663d726f7279d0b30b864deda72431717bc23cc9c0d267f

SHA512
96eff37f01ac79743c772b36061e98d8ff7125b02fb85649f34821a1a8010d99efdbe1e24826a41b29b497a8b238d38db522cacad3e272baccc29f72089bd928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
835a4158c5a5ccd8ee97c67b3034e6c9

SHA1
e55b0b656725e9328e2ab9adcfde0477530a761b

SHA256
b9d7fa9f1541c13e33522014249a60bb7dfea68afa616dee78ccd73a501c9b63

SHA512
afe8fc961b2df9a892c958fcf0205d77b1a310ced71b6f0508bb6d4eaada9cec375346fd164618cdb7b475f6ea8a36c2b596a65950d19f4a1a4a804db979bff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0a06c0b5299e5a9d2fc1c5ca33c467bd

SHA1
aa4dc18c9c8459bfaffc3a8a819135bc74cc356c

SHA256
98cce09b7a0fbf019ffc469c01357c780d3167d986e652907546dd1758f2a596

SHA512
3ee042b21e0f4591e0c950b9997bcd01c7c68919db46b854598e4ab4dd3579b9e257afc724b147eb55e94105fa89cf73b61cad141b457cf066782d45a5f34ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8303b1148038e005f26443b5810c8751

SHA1
889818da98a7490e4516fdd59e07dd4215735371

SHA256
9d6b02acb166133a4f76e97a7888775a2d3d3c9536ab67491f9664e19c3be85d

SHA512
773671838bc0981a0f14db9b871985ffc40c8af0761ee8a9914c25417994e74fcfc90eee4595a3fc6a9be32d585d9995f082348929e69f91f8a8aeca30de86b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e03dad304d02619bf5853dad4de2eba2

SHA1
c72be9f1ee23fddb32a253d4a000afffb7f6aa19

SHA256
fdb926a68c4948d914c1ccd8e3c3e38946adba4b4f3cb1052cd33569874f0fc0

SHA512
0232471ebb95a9002726e364a457fc15beb872cc2c7372015de0e0333ab6aa49b2f672e0ff70177198f959409d5706be2b1642a677871b7e51858fb9303851bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
58a3904092e16e2a62976925c5cff097

SHA1
b0244f34c56c1670bf2fe01671da8b8b0e3ba82a

SHA256
1864a06d9e6dfd2f9804eb8329813da6bf86d8c98da6baca3dfcc8a8ce14f7e6

SHA512
325d825fceb53321f03ed04f19824acdf1e3fe465590b8d6d808dad56385e27844fdc75476c18968968aef8f61eb12a756716aae1165f6ea8bc6451c28e55f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
835757a46d83a745dc26136e22f750b6

SHA1
02136ba86b5f8f5ea510a2925a8db635623d2796

SHA256
1dd6cbacadb6504ae6e3ab3758c016689e82dece1bd7bc04a980fd8c1a9a7c0c

SHA512
4b3b2b8c757c8cca3e1aa3f7c001070213ea8c2e44cb5c97246b16ca33c0e498bb4bb659ea6b2f5fae05f60c3a8503d884699b7a95fffdb09ce1bdfbb62e51fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c5ed786d61156ff03d4d7d6231989593

SHA1
f9e75b5893d0c3aa88e75c8f755aa80b4c3bf27d

SHA256
0ca91f12b62912eaadc2774ee527961f8350a3b81a6b660c240b2e6dc4816460

SHA512
bd95515034c42fb9cbffeb5f88b22f99b852df66a52417076e951cd63303f1f0f3aa2783d5e15ea07299a8b27c8cefcab17ce468503816084a4ea34ece332e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0aa6e80c1c63152845c02f6e7b9072b4

SHA1
bda589d2380c411789fb1073305dc34c059bba2e

SHA256
28813c6a615a7cc841c4c4ac4ed5064dc95955ee806a5ceb36ed5819af330582

SHA512
39f83597e050310b7bcde970c37fa45ee84bb26ac54bc3777a59fd62f593910cc6de3c30cd77ed2886b009b5d3c5e12a13f7cb94310f36a03f17c16a3046eba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
73df61883cffaf059b507dcd3ed2487e

SHA1
2a7bde5575486755d073ed6304c7c790a873dca8

SHA256
8ca5c8ce88088f38fcd447100a3e4e419c1a5fc2a570b1cf3d32167a0caf5a2e

SHA512
3d912b9331306ddb6240fa4a3529094ecf8b3100874d32fd3436788efc84ca4cf019954b131c39b05cde2a60870610b13b845f087f5db70c5fe2228a28ff67e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5183613245eb0bb6a74893f0990b76e

SHA1
03ce2aab1a458eebf2771a6ec586a0c8fc28311c

SHA256
f19bee5b56bc3751850066265711ec4cfedb6340f22838e6e73153f874ab3d99

SHA512
dc197f22fe1b22d1ad8314fa3fde79091d428cd397c747e3fa64f1a3ff27556d83aad46f0cb6ed508cdc5ba50cacfc9cce45b880320bb5ba1c715beb36a0185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f4e3c003ad3cd6c0149463adc1a6b54a

SHA1
8e8d9a821a314d5cd88375fab4d2e19d7c7fb5e6

SHA256
ec4dd8443955e8b32dbd7f9a0a1e6fb0081fe450bb548c0843b0da5c62ccce8d

SHA512
a715be40ec76f7ceaa8185c47638ab79ab03fec70801f3720dda55b1c81bf63e3324c44c0f24864e70c313fe4892c8e189a76f2302463710bed440372559ecec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
488e8c48d030d9274e8487c229000932

SHA1
d9b7da52681be069594143f426fa0a147e7fd0b1

SHA256
00efeced794f44153a7784afef83ba78cdd3c3970f59a66093f5af79fe8a79cc

SHA512
720975ee26ac41a49677c31c23e5c56fa3d2e6e0e615ed8497d460198f6da5a69d453463cc88a4ba42461c609f4745b79fe8b41b89259c5ce0c68e311142c38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95856109ee0d650a5b8a7d0e1c90fe0c

SHA1
13ea6cdb1852a93f19a8a91116221a678a870319

SHA256
02d45135b491eccf67cf2cd9789ee1bb57c2034fd062eb5c53e18db9d5ac0fd3

SHA512
b2bb558faf348617af964396e44f004426e7998824e3e9b1906c68beae074b6b7bf2783c64211c2aee98289f661f4a5523dab61eb88f9a70f219999d2e8cc07e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30c0237b3b2a6d6d6f09be9fc5e72126

SHA1
b1f22aba46e9b8073748267493fa931b03f56880

SHA256
6135021e440e55bbf4f43919894ffc0944e9ef46b6406c219df71afa0b4170ef

SHA512
f71884d668cc2859163758298acea12f329b59d3c8bfc4ce1aefe28fec9e3d2dc20c432c6e6238db244b4be770627e0ddd1b69d6967a2aa20c02f2afd66d6152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc1cf8f88826875e3278e14f438cd8d6

SHA1
26b0a3d5cdef56b918f7821e0300786c7e3eed0f

SHA256
dcf3210e7b831ffb81eab98ada5938a96100be693b0533e89d37e368068db518

SHA512
472ae9fd5dd649e9fb7265f58b065a5d652df77b804d87a5c537f8783acd212372935cb83a2c172d4f1338fad2b02b1f9be6eacf4533872eccd27078c1648992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d5708c8f15fd58c71ce3cd6207090d94

SHA1
ee9460b71e61bac271f7184d1f01ab34be89d2f4

SHA256
7d0226a0fe2239173be3b869a155122d959ed2648da04ac606d56f07d47b6edf

SHA512
1742787e76e4de9022886458c1e11a09a689c7b2f7c2161b69c2cb16cafdf78246e9305b8eab7e7116c40a7594fc7dc7bc484f3e68a4935f62f85e419b87c074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
616f7376fe55a327944a4e51d5fbfe8b

SHA1
2a48cf98a72e7e61540df31747a98507362d3d87

SHA256
785d3cf4b14e15ec79aba6a62fe7877539a7a93437f0370999fa4c3bf358d582

SHA512
a044037fc0d585c323954a0f65606fff3d8728555e1aacbddcc827464a802018dfc99700d720ec1e2af802f2c35ea07f411b2811796e48f1590bc2094224cb11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
442ef349a2a53fdaf662062f234e200b

SHA1
80e1f9c98e046722e6e17e089241e91e209bec89

SHA256
d7c3f1090440921c50b34791f12dc3b43acf124efb4393b2c65db97434d533c4

SHA512
6e2cf6b6457fec5443d64dfdf057ddfb32bc93eecb4eafa516057c58820a924d8fa291ca37ae5324ee84256dca2198c1221cda0f877394aa0a3261b5139cb680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
baaca5ee69152750e8f780cd72f122a9

SHA1
23d2a7f6d84c6a506a38d3b99abe16da0bc4dddf

SHA256
12c99b07afb087cceb9a6dc76316555e91d8cabbc48a6e5c3310b6c9d910931f

SHA512
80c7ef0fe6e11a859b92ca7e3322dc0bc86617565975174443939a6cce932dcf3a8e900073853b112152319514a2da851a7375084b66d9103881d4e4c2c1f5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b10657a991bbef4e033d2b3a0e9c09ff

SHA1
7080fc0e8bdcdd9091032f9f0e7db365383ff9d8

SHA256
6bd4a61cda81aa91f37faf9ab2776b8c70ba38e823dc7437bf39de9ab0df6f3f

SHA512
fca7b9b855eaab553c8c4fb4f2bde8a88bffad8771c1da840263383d66e4b3f86521fcd0e650209e2edab3ae9da1080ca6d59ccadf37bc68587bbb4b2d3f4312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6fde879b841f11be4f4aed3e6fa48069

SHA1
fb7b7193bcf3d50d917aa4af90b3fd40a0e82afa

SHA256
af9257a4c9b9df18b2a2397cf944756fad03244713b9dd96671a05b23ae72585

SHA512
1017251dd0913b6ca21b5c624bc26ffc6e20ec99a1364babe63e799a5eb3434da699aa3b4e9e62289345a1b844c164972758165de13d52af0a657a0cacfe6756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
340e44b8e61d41ce90a401becf86090b

SHA1
fbacf793d2c10a3b8ea3c75af80d0529a269793c

SHA256
5056b1318f79032d27b1d76b57e1b81de196c0453dba09795f9e48c3eb0a1848

SHA512
597c773e20638a13d23dd185e9e31762d1dc22efa6874539f95e8c0fe062897915c0ea9d7843737aa3469cce06120984c93c67b255339a328607697d820b1a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583dcf.TMP

Filesize
1KB

MD5
58bed4386c8c086de377cb3f81213587

SHA1
1af6bbbff8e37ef47f7277096aabc648232b59a6

SHA256
35e87a94ed04779061f805a62a74e5027933fc6640c751d38d2f2a3d75ec73db

SHA512
a4e26266d72b0311e48591d81674c088c8381bdb4b1898da0843f2e590b1c2d36e170ade3bad7faf1bf70a334ff051ac306115a9434185afe060b05b85e64710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d97f4c6eab78a56646dbc0183271615

SHA1
c60cfad8d5bd8eebeeabc0a37dc2aeb8f8c60d25

SHA256
087e3345cb9ac57e504852c9ee58c1502873eb185e2a7f04de1d31d62c7c572f

SHA512
572e844a1007f426f6843cdcf78a7894cb23623c603ce02cc489a1034084e886128f086f018a1889f4021cb47779f78b3f8a2e6ec0d398b49c210568124116b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
69db9be8f63b4eb2eb29d17c89eeedb2

SHA1
5449f770dd22c765ac66590af1aba9cce840adb3

SHA256
8e9f79811c7f5ca6099df2109d0ea6fc07ae3a5e0a976e28d735c35a094e4519

SHA512
20678b0490cf479933b9c174e35eb54cb5276f30839c41e2451a92d9bbb5e6b04302591958786588ffba7ebb3b7e6f91d095abf8dc115961000a94e8b4676d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da95660c0a92e21d61b4898bba1072db

SHA1
6925a4f742062f2b21f3c2cdec7c3191a75aa20c

SHA256
73e664bfe6d123d5bb2f83fd7bc7614b394531a96451354afa6cba8c852e6fce

SHA512
fef72f0f76fc90e9fd36dc403a2fbdc2d6c2ec57dfeb3442c25318aa04c228c23e0a1928a246870e253085eaa6b1e6db86570abef45bc870cf1451b9c9384eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
39d43ab3aa7e853014adf989d6d97cbf

SHA1
c669ee4f444afe2c49614d8652023ef10548684b

SHA256
66056ca55f7a93e6b3b85808af87c6b1605eda1a676aea47eddb8ce1e67db3af

SHA512
41ac0fd6856d1607b0b235ea76f497b560dfe33211dd9c4f7747b3ec06d07fa13019ad7ff86031a304ce49ef9454d10df041dbd37bd442dee75f34ab0b3fe45e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT (1).exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 298650.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/1664-467-0x0000022C64AD0000-0x0000022C64AEE000-memory.dmp

Filesize
120KB

Download
memory/1664-509-0x0000022C01A50000-0x0000022C01AA3000-memory.dmp

Filesize
332KB

Download
memory/2112-510-0x0000018EAD0F0000-0x0000018EADA04000-memory.dmp

Filesize
9.1MB

Download