crimsonrat | hxxp://dddd

Resubmissions

17-12-2024 19:15

241217-xylpjsvncv 3

17-12-2024 19:13

241217-xw2b8avmgy 8

17-12-2024 19:09

241217-xt41bsvmcy 10

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 19:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://dddd

Score

10^/10

crimsonrat defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware rat trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000068f-505.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4836	NetSh.exe

Executes dropped EXE 3 IoCs

pid	Process
4880	CrimsonRAT.exe
2272	dlrarhsiva.exe
4180	Annabelle.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	Annabelle.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe"	dlrarhsiva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
6	raw.githubusercontent.com
43	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1612	vssadmin.exe
2276	vssadmin.exe
4156	vssadmin.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 552619.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 880799.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
1424	msedge.exe
1424	msedge.exe
2444	msedge.exe
2444	msedge.exe
228	identity_helper.exe
228	identity_helper.exe
2156	msedge.exe
2156	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
540	msedge.exe
3348	msedge.exe
3348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	656	vssvc.exe
Token: SeRestorePrivilege	656	vssvc.exe
Token: SeAuditPrivilege	656	vssvc.exe
Token: SeShutdownPrivilege	4388	shutdown.exe
Token: SeRemoteShutdownPrivilege	4388	shutdown.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4784	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 964	1424	msedge.exe	77
PID 1424 wrote to memory of 964	1424	msedge.exe	77
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 396	1424	msedge.exe	78
PID 1424 wrote to memory of 3868	1424	msedge.exe	79
PID 1424 wrote to memory of 3868	1424	msedge.exe	79
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80
PID 1424 wrote to memory of 1152	1424	msedge.exe	80

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://dddd
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9f2cb3cb8,0x7ff9f2cb3cc8,0x7ff9f2cb3cd8
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:4880
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1176 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6824 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,6599272847201975521,5511858607505922138,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3348
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:4180
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1612
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2276
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4156
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4836
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2612

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a34855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
18KB

MD5
5874476248aa64a7474180838abbfacb

SHA1
82bce12fcef16b46aa29747f1f4f5b3675ea920a

SHA256
69633ea1317c6e008ec045c365f8ac1bd633db8454c1d90eea7b77368e3462a0

SHA512
7847bc55ebe9dbc4a77f634d4f2f0ad508bf2e81ba175beb071b927d0361efb6cffed65479211c719b9f6bc29b91ed8d98164ed9ac393ac31162227aa50eaf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
16KB

MD5
6bd297ca3e7194e80a3b03d545a2033d

SHA1
6720368ae50640eedbdb4b4d3e1311a3d696bfaa

SHA256
e59224be8c0105da450467d1986adc9c315ffe34282c4b6def19ad9cf413db8c

SHA512
885a70a2634d882188241c5c725255bd2611973c3a6999220d1215ed90452bd418250e9f18e81722277777c66ebc2f693c37a988b6a2f7623295b34356b3cdce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7dacdf27ec062c56e2ec5382b5633403

SHA1
e7bba910b601295f86f5176ab1ba565699977594

SHA256
003540e8218af1678ec426abe8eeb27cbf7fae45d8ba51afae17e2fb8782b133

SHA512
206fd4679def5f196c9ff6832d2e5d627735efb129cca737c86866360a9280d6dc13b7bb456000707113ecea15a88eeb18ad5d896725231db4cfb8bfc4d13232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c91030731da462a93a88b4f16416e413

SHA1
d3552657d5beffbd25083cc0e1e42fbd8ae13d64

SHA256
5fb8fcfdebb8154a4ff48a7ff1da44ccdaa23762e97ade402bab809edfdd46b6

SHA512
c60fd5a0dc5f0d4bf835f56b2a208d92766e62cb0f22e00589aefd988de5dec0416fdbf04a1671a95782f2d34f91f4fa464968f512a84423644b77ab86483fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5295c71892eb348fa99c653ca9264408

SHA1
b81996e3ac954a1011b484f87d9ccec8b9391040

SHA256
c7d59d7c06f11017df0197c82285a02ef824f9d480d40bdd094e0dcdeb2822b2

SHA512
285f0bfe3d90c3c185c7e0c2cd6161322f8f54c3c715341c01835be7106df2c4f7a2a598f48c3b0f7cf1c96a642d04a88d68f3801803d41cb3cb14ac20562453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a9b073dca7b5c0ddd7b028cbcc85556e

SHA1
a6843f20aa9150bcdec2a571b709d8c8506969ef

SHA256
f22b5f3e62880b85ea9e41f86ff83dbb9789497b94ca519cdc5b40fad8535ee9

SHA512
15f6ca02d6906787a74098452fc2be9fabb8bf36dd1367889bafb1f847f8dd035aba0faf6510f664f5cf61caf5e72c086dc6155a87b52c7153ca5a8e6d2ce48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4222f66b37ba40a5831f3103b4a81b6a

SHA1
980be63982eadad095b3cd38dd9206beb1b682fc

SHA256
359a531ba26b01b28f5d7727ff3bc27b260be34452b394db1065d1abb88282a1

SHA512
4d85a49a410a526555c9a2b55d410654b9ca270e1a4156f5fa196dc3da850da21076c00c77760a0db86eb32c76184bb1efe4d33acd3e26ee6b8954df799b38e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
125a515b5e607afd09a006bb8a1c0ef8

SHA1
65bb44387ef1633c27fefc1972681014fb622739

SHA256
da735b2aaa06f39bc2475443dba61f44a5a2d3df6f4c26a16bf3776bf25e2550

SHA512
6f68db3ae4887055b533da31f16a174ec0756912db4511568b70d550cd1404e1ae646cddc6cb7b0681bc9228abc9f19c6b15a73c002c10c2cc6929fe41211d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b6ee15078a1f107ce57338abcec2535c

SHA1
de878e4d0a91c85d111a5e9e6de1870de49b4b4a

SHA256
5600310531d1437835cf745fe23baea557967995fc12e696fb2345365606edaf

SHA512
f43fbabec3bc50be9be331e762549e4c03f9b2311afdc2b4fabc0445e5666d5ddaac5ac17240a5833166d7d264e2f25e051cf8631b63b14f829d14d836ad1f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8f4eb76d30c9185186d20222cfa71729

SHA1
37bdfd09ca667a135a98869c6b555dd4aaf2363f

SHA256
843dcee8059a0dc144cbb8d8fa2042a9ebff7dbff51ff1421b4c13aacb9fe996

SHA512
56e948dc3ac51e98101eeee17104b2961035ea4a631068f2509e7c88df2566d102dc3fd39eee64f97cfb33389038d5b4d39a86cc17b80e63891f6a734a1e9014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0abc105c25eaf4a40431a8283c44464

SHA1
05dfca8b433fc79d3dc354b5815b96c1b2a23ccb

SHA256
81504d4274b53a1a0896dbd38617a2da6a45f307e3dee98a92b7377f06c480f2

SHA512
13b5b8024b6c50bf6155dcabfc65be86b77d726cc889eb7a2ffc1b35d08b6313010b5f7cb3a075393fbfe6d9e5c3070eb1312b6b161f6a3f794b712dbf8c460f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f25cd128c3c67d9f1af8bccc4fa95ba1

SHA1
6985334a2f610a3c1677a8cffe708fc8dac638c1

SHA256
2a0fcb6637de0ff8536aa8e197acc94e8df11dc9fb1654487e65c1809b8d177b

SHA512
c1c405e2abd705dbccb9db4c35f45575b1684691d1b4e3eaa51abb15f46d8b66ae8c1935359d969222df5591be31c74311055285eeb50f796770cf971e2c62e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a73f789b79496c80bd11bc31d1dadec2

SHA1
c2639d70f245e566eca29c85ed89ab60a79fad8d

SHA256
4016c14313daf279e178aeff3ecad978fa379284a207c7227a86e23960dbc836

SHA512
51e7a374814825bf8a335ec7c486aea7abf1de709024a527156fbae0335acac0acc3524792da8e8364cdb6e4e764b55a546f3220cb404903700a051ba527973e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
dde7f76b4430b73b55b14d449a48968f

SHA1
5daf57974005c07163404e7db8fa2fe6329b2a5b

SHA256
0e22e9524f9c350191361e04242005b6cc86b071d2c1f0b04e5bd1189a589dbc

SHA512
f508ce52d0ecae162809c4aed145fe3a11494c73629615a132acba73c889345a2ee3b516c1a8c9626b51e45d225d8f2df6b70fe8efbac3659e9da6bbb14e6309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1e5b59359f6a75f7280ee963569cef33

SHA1
4edc995ac821d6727a1ecc176aa7b374fa985a9f

SHA256
14d20d3c5fc33400f4714f60aaded711dc6cc6abca13994dec4d49b59e0bf032

SHA512
401b84ac0bf253d3389a752b804cbbc9386149c058ac0df73e335d46b15b1beab6e29d98b662a5945dca8ebb40fa963d3d9907a5076899b0f970441b65f3aa8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8ce6cb7ea6f0f95e1dd4e436d03263e8

SHA1
2e65587b79b77b382331ca37b8fbe2370174b3ea

SHA256
b99998d14c51b2394b745b580f4280fd922edc97fa58a1741902a676a48b97af

SHA512
8390c5e3efec3c59c410b5054c33142811a44245452739cf87705bb95d19f9913948a806bda84ea439bba4ae3e95ac6cd223bb61128f46553950c261dbb1123c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
34e0eb3546e67bc1e04b8fd095a26e03

SHA1
c7d9f7206f1ab3ae83d8498bc915f3399f06e6f3

SHA256
75b15dbf9ffeb967888d5da481ecceac67f0e5d3254d5b51f72713dfef9d8452

SHA512
55f89a65ab86956ffca02681ff3ff0808a0222e5f94eb20636accb9a141a0b2d88867777137e7bbfeacd5e1599fb74b1d52631b07181c8558472d1a733b17fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b931155ccac054ad13c651d59f0b071f

SHA1
bf921d0938a55927a7e3c825fb07ae18d82f1a43

SHA256
f2065c195f095744c9ba279513cbff58e132ada526cc7cfa5d442cd26251ed78

SHA512
8f2e3095cbfa9ffa0ab8dff977e9f2b68acbd16c55dc8d5776ebb774be4bbeb00ff720dd14a846ad619c7912a7808e8908054dcde3465ba5872d8e3411f8e7b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92e7bd4f6c444fd1d3ec55b35b71fed9

SHA1
33c594916acd5b6cb6a51c52610fb93ca6d8457e

SHA256
3659cf2bc98884ed595ca2f48ffd2584b6f99dc981497a3b33b3300b22ed03a1

SHA512
c1ecf7a450d81313823ff710065ab782d447a9554d982725d8afe13fb1b7b1d9e121f06c1e0ef1cc23f68aa84e0aa82e07712b1dbc176550cfb1e0f35bf4b284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5812a8.TMP

Filesize
1KB

MD5
d0608e8c7ceed708d52ea5e6867249dc

SHA1
3e730b9875f4b12b5f49e2306351e605c003aad6

SHA256
6af4d65c0523717c6b842456346920ad3f85442355cc8b5a3a7891ddeba1ebeb

SHA512
013adb40dd062343b04968456eab3f8323c7242a02c2fecb17904b3c9f04b01c3e8bba0670dc3e7304533203bf3855e5a18dee859dc77a7fe5c6765921c004f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c0a7984008906aa6f9b1e76741bdd73

SHA1
f20d28d54a9e2f2e895962bdd504ab7370f27b9f

SHA256
fa813c542c04123228c04f23794930ca2406f3d4ab1b1a332a0befef4ded4a51

SHA512
c32ecead5fb5262639960e946d57268de2d2883e736dd84c9801ae4e1c6df4cc3fce16beda48c87d90d37c584509bce972363a2d6aa42a7513ff21599554e4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3cb1eacceaeaa71b2f36bc330a91aefe

SHA1
33343360411e06f67cbe6dd0b7983b19e8e4a0fb

SHA256
6d93117820420ff25bc0460c5571476aa8fbc3e1f1814cd2632417c891d901ae

SHA512
bd14289d5b7ff3c963412b84a5946988129888f8295dcad893389acd3d81174ad2ccf4986cf835f8dbc7a60fc4335d487d674d0a7d4671aa07771bdcaf024f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b207680312f76489409c088f5631280

SHA1
c97a5f1e0e1933314ff07580470a3739ed188710

SHA256
7c551c07fa4312516aab29b94ed5cfda67e2dfae84ff7f2c5d0c667e2f3700a8

SHA512
a5cfb9b3a79d24a5c2ca8476d1c385d9b46d069b1e4811aebd1437f8dcdda0b012362e727b4ea008072f18aaf216cbbf037169e5a3a12b9e90d1071e7bd7f0fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6cf88890ea396a49e16df8841e160cac

SHA1
18303da871f06bbb2928248dc0340ed677b3f713

SHA256
b9d2ad07bf7ad36db8655e00a78d26e3f587bee1088ac7b88b0c65673bcfe685

SHA512
ec3be3ca66ef2e8afa2de7703a8f46b436bae8a10a9a846f852409921ae5fef6788fddbb5c6f998f0b00a907f325377732658a0bd9599aee8bc0cba38b3cbdd4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d10beae6-2696-4323-9b78-5e2bb3d370a7.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
3e75c66ae001452c5618035b4f2cba5e

SHA1
073c16aefd69851fd513d0422280b33f4c6e850d

SHA256
993c27c3484b4140736d3f998c0b85852c7476be48ccddab250abfdb785b0a7c

SHA512
b0b3ac94f38af55ff6740e1d44077ae366217e9715b2a7c24e2545347a0fc3ad8a6c900b7998138a201646dd816b6afeb40117b716dab8712e4f6125aa737431

Download Submit
C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
221B

MD5
770dbbcc03fc90a7bdc5a9ec6d81b2bc

SHA1
0c127b6e062caed1a581edc3ffe5fa9c2cd98039

SHA256
773eaa9c919c51d4fbbca3ecf7a2bace49b874aac373a6d8f99e66f3384601d9

SHA512
40915dd92e502b71bc53cb77fcdbc783cb9c54644bb55978af8219d2d5c5ce4937cee237aa94720fcd506196ef2baf15216a8fddfaec4fbc714c905320793817

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 552619.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 880799.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
memory/2272-523-0x00000154DBA20000-0x00000154DC334000-memory.dmp

Filesize
9.1MB

Download
memory/4180-745-0x0000028119FC0000-0x000002811AFB4000-memory.dmp

Filesize
16.0MB

Download
memory/4180-746-0x0000028135710000-0x0000028136C9E000-memory.dmp

Filesize
21.6MB

Download
memory/4880-525-0x000001A5CFBE0000-0x000001A5CFC33000-memory.dmp

Filesize
332KB

Download
memory/4880-482-0x000001A5B33A0000-0x000001A5B33BE000-memory.dmp

Filesize
120KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads