crimsonrat | hxxp://mega[.]nz/file/JVE1yLoA

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mega.nz/file/JVE1yLoA

Score

10^/10

crimsonrat discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023e56-1039.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 6 IoCs

pid	Process
2100	CrimsonRAT.exe
1728	dlrarhsiva.exe
1892	CrimsonRAT.exe
1968	dlrarhsiva.exe
348	CrimsonRAT.exe
1472	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
155	raw.githubusercontent.com
156	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 441861.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
2496	identity_helper.exe
2496	identity_helper.exe
3736	msedge.exe
3736	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe
864	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4804	1680	msedge.exe	82
PID 1680 wrote to memory of 4804	1680	msedge.exe	82
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 5016	1680	msedge.exe	83
PID 1680 wrote to memory of 2484	1680	msedge.exe	84
PID 1680 wrote to memory of 2484	1680	msedge.exe	84
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85
PID 1680 wrote to memory of 1084	1680	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://mega.nz/file/JVE1yLoA
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb3346f8,0x7ffbbb334708,0x7ffbbb334718
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6576 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3736
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2100
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1728
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1892
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3083274557756347164,11763554753314044897,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4412

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:348
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000086

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000087

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000089

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008a

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
32a01a403d0f43c5fe6cfb04717abbf1

SHA1
1df32651243865253c4f5ea55685d4f73e94bb09

SHA256
6e66c51e4d02bf999fed51985ee67b9666cd0327c88ecaa91409bf33e7cc2f57

SHA512
3dcf52c5b1e4903d0ff3ea3b9bc4c4c527ddf6cde5480ee6abe3e4534fed7de5c6a7471a02d732e805461eecd137d7fbba44f2621ae616900761800a0ccca2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
c1ab848d8ace268d7a7ef403c7e999ca

SHA1
951f7b8b4354f3ede73dd23e44ec27c7f2d33b52

SHA256
74cda5c3fc0869ebeb481754ea12dd4b102a9e0c3e30b5b90db6df6a2b6a1349

SHA512
ee42ca09ec529ad47a8b10bc298f98314bb3851d9eed9015a3ceef3e3d0694d826fbfc072724ab2631fce06071cb45f128e64531ff9adfead41ebac3c9e61331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7acb57fc0e4509c4758362815ca4e5f2

SHA1
fb277b1f175a1463c79d996043f503d6ca857166

SHA256
3a3d9b4a0f208e82442e8792d3f709561e56b940772c8b8736b8e5c68e1c71d3

SHA512
9d9ef80746479519826d8a831e71da1b5e4c388bcdc88519815259f7c09212280665db1e7f20bb12ee5dcb5c1a2990bdff1127ca303ece44a49fd7a0914a8fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9459a4d9eb86570da4196e1c49f7df25

SHA1
b72839a80b6529976f129069de64607472566a88

SHA256
74c2c8bb000ef4a68b49f3608788348cc71cd76d8638c584b72e4bcfb063298f

SHA512
27fc34bf3b70bf24b2728425d8fd9e07e0c652a1f7596d996e8124da52cac344d18a23d1088497475f34197c25400313f4ca55a6615598fb2ff098d90dda583c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
278758c0835d335694a68d9772042742

SHA1
0859af6125997316c6156a20eafbe8bc67612879

SHA256
67a70a7c619adeb0709702d4bf07d054bd8b3b8aedf749d7271ab5ad2074a5e0

SHA512
cfff3399a52a2c77f7e1a4954d92a7bd6581667ad0d647b60e7794d327e92133ce2f6e05c730abed3d0c7b637f8851b91153a67a50953c30a8f01c4fa76c0f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bc233dff34517692ec804e7c538a6b4c

SHA1
278a1239fe97ebf025c72799bec9e4d239d49bb3

SHA256
60cb0aeb910e4aefa40e90222b2b73ca7ae74dd7e6de5f2c1487605ef1a44e89

SHA512
a77dd44790fc618bf60935ec26e5b24946b6d8247f63c58c843eec05914db97e344dfe94457119de2fc2bb95879a49f6ee1263c3d3a5619ffe6ba9a7a0cc5de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
98360ae5d72cd713dca8c73c644bf972

SHA1
a3a68397e42fecde03fdaa65ad5a8f3b485ad07c

SHA256
7ebf112629c90d2d119732a6bdeb8bde844c884da6d466cf7ea2c5e9e46ea38d

SHA512
317363f7585d39f2abd1edd1bd92a9b50dab45faaed2d325ecfb51e6dfa11ec831d99f0553d1d5c251b0d18e323f51c3ae858445296cf188b9aa440ceb8c953f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
784f5d396dbf50fa586252c2da351a74

SHA1
67aeb8722eec40caaa403610c11e1c568e426c63

SHA256
31630fe21c3d5b062fb4432128c54a2b535440362103e978ddc887c77ee0dfbc

SHA512
8edc664add0e653ab5d43dabca5c41a7abb17cbd4f020c9fa456a09f5449d79c1f545950a3cd13e571444a132b4217afee01e0ed8baddc268ffc7e956cc3afc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
962cad86bd0c089ad6fb3c0eda22661e

SHA1
9344053a336942057015bf77adb2ff755d45c2a9

SHA256
38fcd580d53bedc4a3f74cc48b9b4ecbeea51100eeb3c300ac75d2abbc61a419

SHA512
e6d68765424795845ecbaac38b5b2fc366007d01c30212feda977adbdbc564fc9b4d3eaa83dd02a0c3e866e0c3467317f7a918b43913888a5bddbbb6ad2a8bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2e235e70f8bd96910b7069a3a1211b2b

SHA1
a2e7330c6f245aa88e9257b619ec24f1b088d87f

SHA256
d4dde4f5654ba8f6ed185c6bf2b21f52b1e4db5d20e329905f61b2ba03651d56

SHA512
19454cdfc5ee40202673c0d6fed3c3025aed3e873f8581ef335c81e1d49849eb5f6113c1126a42935a19536ec28c471e277baa3dcb87e6f80a647ef71bf38140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a004.TMP

Filesize
48B

MD5
2af21ecefeb56a5a030f211777dd39e3

SHA1
dc9100562970b0e73ec5b7cbaf7fca560b708cfb

SHA256
b91e5487ed6a4f5b94bd32feda7068f5eb7ff88225dc864ecd6fe1f769aa0c18

SHA512
868c3e1157cb5abf2f832e2b8446556efaaaa924a7b67653f6161bfe51da321d03ee911e8ea190751ca28cbf87b1c12b73d6b10963c181bbc960c9f76118454f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8078641bf474c08c1c5ad89e99d6f4c0

SHA1
94cb6440feeccd8c195cfab32365b877c6597f82

SHA256
3c514d4c82ff9d94f893fbd77c82219c1fa396e05f3123783eb885c45d8a3eda

SHA512
3471f778a45b3fee99de9adb7eb3af14d6bfb3856ca406274ddbfd4827ad35242e35731814e4d674668642efca00bea2a13398628a45a02bfc3940f61f6ba88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dff0c5202f2455f5f28413aaf30e0d8a

SHA1
6725d148e63e6c3b361d3421b8d180d52c1738c5

SHA256
a051dc76e0641130b1ef855d94fa85afe16b994ec910965eaafdfe3a650fe118

SHA512
8e5504bbbbdc0878790c99a33817694ed0ff139440642bdbb4a6e8d6519bf97332693a6e9fc60bdc1492ce78d7a7c2b990e564a35beb6a0dc3fd3577eaafcd7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
67fc7e535fe033d1134e73f7b1d6755d

SHA1
1feefb159fb31b3545a5fa89c0c05ce4728f6f70

SHA256
6632676aaa2ae74f5568ef511874033cc546bdb53e357138dd29909c6d1118fc

SHA512
2293068b3f742b94bd0231e728fd49ed4ea4df6ac40c01cb5aa6ab42af173a6a2f32fd2bc4c6529097a9b8dcfd758025b05ce36c4e9a4aa70ee2871a50d6a409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e57728b76570cf96934b3260e262eeca

SHA1
0efc4b312a9d2ecc8c038fcffe87b651460c88c7

SHA256
b4a788b7f3b156ae9b1c1b3c0cc88a78da76ffb756dcae1bff2f4bfb96dfd4db

SHA512
f944bb886ec2771c1a9f233d8ad1cc59db43a1cf2a96f8e7590fae1df6a9b8ecdf1fc8aab5e7f96242515efef3e15fa5b310aa77f69d1ab050adc88512a45d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9c290e9e6f324922f07244ea83867d45

SHA1
a8c5ab00da0c81bdaee61355e4346115e1857175

SHA256
b31d88853082023e9c3a45a1aa14ba1d3c3330a227320cf333add0c7ecd7513f

SHA512
d7452c64106b8f6bf5aad9bfcb2fab52acf7c7b9e23319276efcf956b26e573d57f1f481680b46086bd3ab7e052b65d19287b364f5707dc65a7cc30d0b383971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5870a7.TMP

Filesize
1KB

MD5
d2b1c8ba840673695befa4074ae650cb

SHA1
d545f7983bb6b451112c0a0b8c8b1303048ba4ad

SHA256
10bff7b55a32d31ad6f656ba0ed50438be7aa317469b0852da9a3449268a1ff0

SHA512
c6f6463ccb94895def7d56514718e1a2edb825421ff36ef7a292f21e771236a46c5807e7f391e09eddf92b01893be5842512f10792294d08ceca605d0efaf10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
61af202650914eb45e77ae93690dcb3c

SHA1
c52f11f85c9e63b00d209255c57e165c9054a4db

SHA256
8b9c5112abcc755c08e3578756fbbf20576568139d5671f00334d6158bd22cc3

SHA512
68a605f537d362afb0b8210c5280ab51f2467026eb3a4241780d4dcd2a89d7896f542aadf0c9860df60bc1b00e13b862a1e55fee5b4e7772c0672f40955e94d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b209fd27cff2757e6fda90b7919e3b0

SHA1
ed540abd534cd543fcbfc2d1f953571f5d0ea834

SHA256
849a8ebef00d89ecf2e29577e30c063312ca52c3c942fa8fb954eb6ebd12fe22

SHA512
c20b5fd62d9e1bb9952616eece760b5ca8fe9640069fa2f455f02d887e3d00be300432e5a2694c58e3f41ccaf2887456b794857984a2ec787013fc1407f92eca

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 441861.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/1728-1066-0x0000013DDC930000-0x0000013DDD244000-memory.dmp

Filesize
9.1MB

Download
memory/2100-1016-0x0000021C93D10000-0x0000021C93D2E000-memory.dmp

Filesize
120KB

Download