Analysis
-
max time kernel
38s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 05:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://wearedevs.net
Resource
win10v2004-20241007-en
General
-
Target
http://wearedevs.net
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000023da5-432.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 5752 CrimsonRAT.exe 5876 CrimsonRAT.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 130 raw.githubusercontent.com 131 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 417839.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 4612 msedge.exe 4612 msedge.exe 3464 identity_helper.exe 3464 identity_helper.exe 5640 msedge.exe 5640 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe 4612 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4612 wrote to memory of 3576 4612 msedge.exe 83 PID 4612 wrote to memory of 3576 4612 msedge.exe 83 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 4832 4612 msedge.exe 84 PID 4612 wrote to memory of 1948 4612 msedge.exe 85 PID 4612 wrote to memory of 1948 4612 msedge.exe 85 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86 PID 4612 wrote to memory of 4288 4612 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://wearedevs.net1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0c8446f8,0x7ffc0c844708,0x7ffc0c8447182⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6180 /prefetch:82⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:82⤵PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,9149884790315419767,9695341701041770610,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5640
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:5752 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵PID:6084
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:5876
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵PID:6120
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵PID:5332
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵PID:3672
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵PID:5404
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵PID:2868
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵PID:5492
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵PID:3132
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵PID:5448
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵PID:2092
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵PID:5412
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4664
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
4.8MB
MD5860b0ee1c5c7535b9d30ea358e18e487
SHA1de5d33373b5b939b9cd8874612635df63fecae35
SHA25632b5c40b3f98b48ff2f9b9c047782ef05a42d759f3735eed88817f6c2ebea990
SHA512d6c2c6b3474bcbaf71e591b835560072072918c0269d04a6685ba370156045db34cb7ccb726a071c3bf1d6d6db2b4c9b7ce8d1dd1fe2fb56deca822b6eb4cdd5
-
Filesize
1.1MB
MD54b32bd5a5286fdc24bbc111b6fe4fd19
SHA1d6f23e5007b2489f3bc2fb36b9acae33ae3b756b
SHA2569ece0ec3c21727ac63df85a17a2a45ae58b633a8437f255e10708de846bcaad8
SHA512f43306e2a2f5f8aea612495121092716d7a98faa2e544671613b3065c2e1978b54241eed6cbc6af0343fac08651f19c5381e96ae545894a7393d23a753110760
-
Filesize
2.4MB
MD50601a3f2a32a6a76d7f07a64187e8939
SHA168c92ff396e8f9e63a4865029124bf728d2970bb
SHA2564f5b4f5b967157e3eb199efd74447db3856b53e8572fd0f70e857593c420e5da
SHA51212b3d29771904d1af19f68274c72b1575017779150c63b577900779f9a06ac84a384a555b164878d2e90186e59e8912e0286e0346a5ff0f3ee2e18a523c9186a
-
Filesize
1.8MB
MD5164661552b66b9b267d914fa07afb81b
SHA1ff90429357ff11b4e2e30da00dc336f48c3c06a3
SHA256ae55e5ed80d9af2034c4cf737f46b450b572e580043bd7e7a8a85688dc85f436
SHA512470369a5d2a8f236682ca8a431c4a0e7345d86e85380e94556eb2ecf00afdd51b21d79e17feec2100318317c25cd28cfcfbca2e52916492c9ac2db7550ffd9cd
-
Filesize
14KB
MD5e1811ea24cf5c5bd7f3111c15929c310
SHA103afa94f1d9738afed5e1a265df656624029db7d
SHA256b20dda2321e0cd3b3bbe0235560301ef374fe63760371c90602ae4fa0fc8bbbb
SHA51220ea178cb97f76df3b0129dc68b5310064b7a6c262d7de18db475991ad06e01d9123032d6f03668f182ef6ad7a4e55c4115f55eda97ae3f92bbf5847aaf0651c
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
1KB
MD52d2a235f1b0f4b608c5910673735494b
SHA123a63f6529bfdf917886ab8347092238db0423a0
SHA256c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884
SHA51210684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
Filesize
7KB
MD5abdee7b630721ee089f2d6892b8486c2
SHA1e6c40ae11d6c6f0138025b4577cfb22d2d8ce8bd
SHA2565c9d0f418ba8a6fac227cb3935fbb1d74df3215f903de83257cac392e7ee1e82
SHA51216a51209ffca459d9450820cef39a7242b3ef896114c61c69dfb3da118b378797570542b6d1dd13b4902265667eb7ac70136a51a32a519d5144b048cc9111dfc
-
Filesize
5KB
MD52a92cc3382ff78fb3a8749869406b5e0
SHA133c87568d7b8bf8596a59cc650d11e637932f4c7
SHA256a85b597ebb6eff7fd63f6f20be3d2c91b987fdbd58890c948c00c53e58beb052
SHA512e54da3095c5e5983b4a602073402d219fdf62a3cfa221dda495fc704bcf7b77de92036ad4c52f4d08c009fbf9f308f7108d5f2a5079a8e8fd2c45be4a6b65ee7
-
Filesize
7KB
MD5780d46c3c08e82cfd9ec37a911c24491
SHA123b69a695cf3ef802851162392d6c0b52b0901d2
SHA25677736fdf9c1d4d3a637af0b6606514907142b71289a03a44b68392b809709c0a
SHA512e4a72e603f2aca192c5c09627a542073484d107db9a8c0659efd66cc72ff161ac7cc01254775fd7ab199ccbcd8d214e21df2f2dd04edd6e026520be921bd6bc8
-
Filesize
2KB
MD58b41bacd29d3dfad96f896cc0fe815f3
SHA1ecef3645c89f2377e20f90cfd94f55e2b7885504
SHA25691e644a6c575efe798d1a2d563b170493a533e49c22ca2cd130643be41cd95bd
SHA512796e60b9205110616a7b29ff634934bbe994dbc1d13a50941c3a69877c2e33e22b553466bec2a42c9ff27e8f9def278176c79525edd3f885096641a3c778deff
-
Filesize
2KB
MD5442fb57724575886a050527389112925
SHA179ba796b413f02d633b42b9e841b7a582c54075b
SHA256b9df1f3f003a277e3b756f74da3de74d60cb244e9001e7c37246fd7e3397272c
SHA512a29cbf290d260c2ef1c3913f049ad82f09ab1f1f10e6f99a9fb7aea30549034a166ed9c173f84c3da7fa583ad1c8748ba36bf26086df0ac29f637928e494edcf
-
Filesize
1KB
MD5ff8b6478fabc3cbbb93302cb9225dcfb
SHA1481a980ba61c1751f49233cf1334857f8deed47f
SHA25603c2d202ae46f6a3b72210c6fb51b81d0898cd2161046f17a2ffbf4593f350d1
SHA512b9defaa8dfa52c681f7ddc6f7b0f8bf331bd2fa530047b5d444d8ba7eaec95b71fd8323629063c7da6ea3af7895eff1e39c2a162badb38fc7956057412bee717
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD51443df861df3b08f551f4ef169ce5732
SHA116a20dcf8521485bd22b5cfd32eb32d7e0ae9f68
SHA256c1b7a3adef23bf1ffac9944082ccb07fa4d91cc28bd290476899ddb5c0fddf7a
SHA512e581bd33b23052ce7534872ea06509d4a8045848c84980676b4222cba8782462709b4d45a8cca12351bdee1d3e196f59d4b5b8df61a88192f60adcd968d0598d
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741