crimsonrat | hxxp://github[.]com

Analysis

max time kernel
125s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

crimsonrat cryptolocker discovery persistence ransomware rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000074d-675.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 9 IoCs

pid	Process
2076	CryptoLocker.exe
4896	{34184A33-0407-212E-3320-09040709E2C2}.exe
4200	{34184A33-0407-212E-3320-09040709E2C2}.exe
4376	CrimsonRAT.exe
1984	CrimsonRAT.exe
3008	dlrarhsiva.exe
3200	dlrarhsiva.exe
2516	CrimsonRAT.exe
1492	dlrarhsiva.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
72	raw.githubusercontent.com
73	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 422842.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 473827.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4972	msedge.exe
4972	msedge.exe
1208	msedge.exe
1208	msedge.exe
1352	identity_helper.exe
1352	identity_helper.exe
4064	msedge.exe
4064	msedge.exe
1504	msedge.exe
1504	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3424	1208	msedge.exe	83
PID 1208 wrote to memory of 3424	1208	msedge.exe	83
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4072	1208	msedge.exe	84
PID 1208 wrote to memory of 4972	1208	msedge.exe	85
PID 1208 wrote to memory of 4972	1208	msedge.exe	85
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86
PID 1208 wrote to memory of 876	1208	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeba1446f8,0x7ffeba144708,0x7ffeba144718
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3300 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2076
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4896
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4376
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3008
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1984
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3200
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2516
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9825810602384940246,6496349982465067179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
20KB

MD5
50103a54406168d0070420c4639031dc

SHA1
72f89d2583995cccd773874e62a71f4c2321bf43

SHA256
ddbff56be29903fd1f21b7e22d6ace055a7cb0da707ed334ccda26c58cb5dd21

SHA512
51ee8e5e1d11f7b699693e7db7f59a7709dd85b911ce54126d305ac4f955fffb0c802100f8cd809449ba2b7d6f7ce747820ec5de74951f3f4cc760dae42fdb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
ff688a650e1f9c9163595dded7aa900c

SHA1
488bdba4556cd247e5cd781f137e750b8d9c4701

SHA256
7772a1b9f9a886bab84a7fd07208824093eef1dc42d77398e964824cd0f08081

SHA512
53466de79625ec426a53418b19e22dc617ffc2ddad0da00534fcae308f6c50eb83ba6893d14b3575d6d5d1531338dffc867f898350b13a8c0d492254b29a6e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
33d7cb100b898e84ed0785aea93750a0

SHA1
37e6e69c90a4248b0ec10e3957f9784845a2f556

SHA256
a2aae92c40bcc4f57477e7a3ea0f075ff9ba748767ed5d24e522fe69607eb103

SHA512
ea9c377162a32add59bb7278bb17d00bd761a353a94d437f75e5d9e4289f53c0b8f9f5722daaccc46cc38a301b80350b6bd6b2c53e3248b240a00aaecd7fe708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
75237b876e4ebf0cf587313ae92b7952

SHA1
ef712d6b1e678d091b39cd593b8d4a2a5520f139

SHA256
d7abd571a35eaba20a7c57d7ac93cbb59b8d4b417f4b67590ee1c29ff561442b

SHA512
0c96b1f590a69141018c2112e36de65fb30ab57320b4b76da3a672b23c716197fc06e0f381491975319a8ad4ae138660469d3149cfbb69be96a2cfdfcaf802b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b511fb2dc39f93b13c5e3831c1937a8

SHA1
44b24858251753942ac8dc7b60395dcbce5a6f44

SHA256
e3c6befbd16c441057414d4ab24c4c3bc2ff1cc52a39bdf4265ef98ffb1a8a9a

SHA512
2d452e0669eedee140fcb32e3e17cdac309cd49d417141d193f9e180f6963f9cb699717100394c6b0572496ba32f825911bc9ed46359153ebed9754198b4e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8c0fe3f3b8a0a744d59262a2ca9c298

SHA1
90fe69b2bac99a8699bf64e0e53f1e916ab10cdc

SHA256
b3635ba1bd05412a2e6cefa72076de9509f98c270c0c6ff1a74c90df12804de8

SHA512
1ffcc1e089ba671d01852529d7ef1a6dbb53cfef20317aa3441bfea7873f4f56a681d4239d6982e6c42907f705acd9a3d64eb482aff3bbf1b9d1e43ef866afe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f1f72971f728747555fad2f4e3b8fe75

SHA1
711b80be93ba29504f44c19b2947606ac5619086

SHA256
d5b4c9f1b97357035be2b15478a0e37c965b1520220922859bb32b5442d8c6a6

SHA512
16fc65b4a83854dc90b74225e4493da2052931fca85032b51abdd9bb0c5fb4af8b36ede3f6e644e2000ebab9a030e108f8706f747abe60afa25735b82c66b086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37a9bc93831f7b594fcb63ac32539fed

SHA1
8ef38eef85e529bef491abbd1eae1b389eebe0e4

SHA256
831ef24a14828a6b7c04dbda5823df29fecf1e9d1d587402e97bafe8c93658a6

SHA512
255007d0b6f2b781d1d38eff7d4921c2aa8c0bb3395a56d8be7057a87cd4844956af90862045024c3eb5262f270201efd47a5ec1d5c863d397bfe7fab32894b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ca48dcb3c61ffc5e8c4c07ed4bd5c93

SHA1
89010cfb92c1acfd1bf2f750387cd59943a3435e

SHA256
f30d77b4af0e0ef0257329240788b3782fa5207433861ee1906ad098fb28d16f

SHA512
555657e6ec60da14e6499ae9303c272dd2bfa11bbcec1fd541353ebfbc7751aefdccc00903ace55e5815084235289da9969a4e9a0ce5e7e63e5cb2884d052ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d2cc070234d8e8ac4083159233bc547

SHA1
152462a6e19ac46dc42b2bb6640bba6ae9fbbf75

SHA256
b6ea03def2d9420e05df850476ad3a7db073edcc8f7fe885757c93174aff0c7f

SHA512
1336d868af5b79b90bc2a9ee70ec61c2615c5c4879104d76db75581d3fe6620be85be21c8f21a8fcccbc262875a04f18f9a37e9b8922f128933c8d809246e198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b2a243a4b9a2a65c251073862be39f7d

SHA1
56651f37bebf77c458cdbba215dee069c3086a05

SHA256
4dc3393c3f3117374c6524144422b072349a6a135b01c9782f9d6b315d54cba2

SHA512
970013eef0cbf9c6eaa85716addda05eaa63166e90ae90383084b21dde59581e30f6ae03eecbbeed04c5eb7446b896f8ecd1a6e0a2a31dee9f0206e27b48976b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c3cb518ff4ec1517640897448346302d

SHA1
617e22eb1101611f748a122cff2b06acabe453dc

SHA256
85dcffdc7ca655af32e5c91eccc44814cc8bc7a01dbd220750ccd8568034f543

SHA512
4430d2bce66ac9b29c362d132d9b50945521e5b6dc4e3080eed7a044df0ad92d823db2395a62ad6184a7105427d8fdb5cd5537956abc3695ae3d0839ead68586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
9eb2f85453ce5e625b5adf7f19b4720f

SHA1
b167a0bc1aa15f2d3a1a7e822ff7ae2991cb2b52

SHA256
d96c22cbdab70ab3cf5fadb5ffd67a0566b51e2aede8e69c209a5258296c15cc

SHA512
16c3f8093d92d1347a36a5d0839fa0132a4d112b1dc3e025127e006866ad345f031d1cfe7a3950c5253c6a2925340ad5c682a85901251491127469e975110fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
9f29e87e100ea7591dc6893c9d4e15db

SHA1
2f5b3e38c32a0a802d4266b984626f179654a4a7

SHA256
f73ee5b99482b7b74c9997d7cf85a69961c4030bbd076a4b173fee78e2c8f22a

SHA512
47fa30a1b7827e006a8c051f6d2c3c22399cfb647b351bb6ecdd997673f477a58df5157bcb5618261faf1205c09a3150ef00a631b36da7614121117d2e9197d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df06.TMP

Filesize
706B

MD5
4f0166b5a9c88eb70cc425bb87eb9b61

SHA1
a151603e6632ac57ad98e56f2c7dae3aa664097c

SHA256
31f4624487be548fc49540a800d86349a58f3caa6fe07c3d5f6ce4f155ff2fc9

SHA512
ba72d8addf23305ac5b63feef6b339362f04902d67d108feb8961414a12c1dfb2b7289698751a3b38586961f29c7f9126178a53376ac84a3d779bf65f76a72a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73e0702af9c43b1ee4e30f3dacd7833d

SHA1
b0f86d58797faaecc703eb1e4235a8ad9a8f2b63

SHA256
66ae2af89f587531c800f644154a53652ff95c51734ee192fae2b822643f91ff

SHA512
31fba72e060bd0230bd1dd227306713a726b43b138e67e411bc635c433c9ff07823c2776ce9b8b16d8ba390798e3b4c138e7cd236d6fc13e2c88544e3c898228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c5a64cc4579d33fb30fc56fe2b62274d

SHA1
79e1f0c0e9874688d290e091371455a34352bf23

SHA256
8ae98b7e52a134c994018037db9027134927fb13ae2dc88b61ff724b0e2afe9f

SHA512
54490bbb9c5ee85b825053ddfc40fe8f78daaefdb7d5e39d54fe5aba41f144c3869d1299ce158aae56636f7b7b7c7b56a4d7eaa362329a0ec03602a5b80f2a52

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 422842.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 473827.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
memory/3008-685-0x000002846B080000-0x000002846B994000-memory.dmp

Filesize
9.1MB

Download
memory/4376-652-0x000001FB80890000-0x000001FB808AE000-memory.dmp

Filesize
120KB

Download