crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

30-01-2025 16:48

250130-vbellsxja1 10

30-01-2025 02:38

30-01-2025 02:32

30-01-2025 02:25

30-01-2025 02:21

30-01-2025 02:17

30-01-2025 02:13

Analysis

max time kernel
209s
max time network
206s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
30-01-2025 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat defense_evasion discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abb4-286.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	4956	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
4936	CrimsonRAT.exe
1476	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
2	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\de4dot-cex.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4496	msedge.exe
4496	msedge.exe
1720	msedge.exe
1720	msedge.exe
1816	identity_helper.exe
1816	identity_helper.exe
2120	msedge.exe
2120	msedge.exe
2068	msedge.exe
2068	msedge.exe
672	msedge.exe
672	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe
4496	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1432	4496	msedge.exe	77
PID 4496 wrote to memory of 1432	4496	msedge.exe	77
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 1336	4496	msedge.exe	78
PID 4496 wrote to memory of 4956	4496	msedge.exe	79
PID 4496 wrote to memory of 4956	4496	msedge.exe	79
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80
PID 4496 wrote to memory of 4984	4496	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc89f83cb8,0x7ffc89f83cc8,0x7ffc89f83cd8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,8889499879365500693,10242427083097242340,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7384 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4628

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Executes dropped EXE
PID:4936
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:1476

C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe" C:\Users\Admin\Downloads\CrimsonRAT.exe
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
4fa02ac6347763639aeb01d8adf287b2

SHA1
8cbf6b37f0cd329ba5b4f4f59437c55dd3057b37

SHA256
ec23a39504c8b289a6401723dd1a5153e9072e5f5beca20f88fac54ed3a477d9

SHA512
371e4b42152c578090254323dd4846df1ab38ac6bcff8ed6b67143dbfa5111c72e64366ac24b6ac04f3c405ce22e5f50f2a04e1805cce8b22ee8b95139a53afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
99c59b603e12ae38a2bbc5d4d70c673e

SHA1
50ed7bb3e9644989681562a48b68797c247c3c14

SHA256
0b68cf3fd9c7c7f0f42405091daa1dda71da4a1e92ba17dad29feb00b63ef45f

SHA512
70973ea531ed385b64a3d4cb5b42a9b1145ec884400da1d27f31f79b4597f611dc5d1e32281003132dd22bf74882a937fc504441e5280d055520bfca737cf157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
37KB

MD5
5873d4dc68262e39277991d929fa0226

SHA1
182eb3a0a6ee99ed84d7228e353705fd2605659a

SHA256
722960c9394405f7d8d0f48b91b49370e4880321c9d5445883aec7a2ca842ab4

SHA512
1ec06c216bfe254afbae0b16905d36adc31e666564f337eb260335ef2985b8c36f02999f93ab379293048226624a59832bfb1f2fa69d94a36c3ca2fdeebcdc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
26KB

MD5
525579bebb76f28a5731e8606e80014c

SHA1
73b822370d96e8420a4cdeef1c40ed78a847d8b4

SHA256
f38998984e6b19271846322441f439e231836622e746a2f6577a8848e5eed503

SHA512
18219147fca7306220b6e8231ff85ebeb409c5cc512adff65c04437d0f99582751ccb24b531bbedf21f981c6955c044074a4405702c3a4fae3b9bf435018cc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
58KB

MD5
1a66e7a04fd75b4124dbf84649d62e3d

SHA1
6cf9ee430ad835cae431132b306739f819834116

SHA256
f817e171b8d013945d336df3c6339bcf4999835e05197be2b3ff698081a997f2

SHA512
1f3b3231459ba24f8146582c81ce2929c22d27c97e1a6cc19d93df0ce78bd4d13927729ec50f1269f3ca5cc41de2764245706c785dd34afff668688e586b1f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
40KB

MD5
fc6557bdffc2399eb502eeec4df611e2

SHA1
8f6fc12ed1845ed2a35cde58d52039ed115e5998

SHA256
f94fcabd54d4796021377453a74f72753e70225e1ed81ca8b2044c2fef9b27d5

SHA512
447abe0ed097dfd6b4cd3961ad3e0bba5e7561d8aed270325227c9a3405a83e7988fbaea3577cfe5d721ecf9966275bcbd5459a2bbad4349429dc90b4d106665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
53KB

MD5
2ee3f4b4a3c22470b572f727aa087b7e

SHA1
6fe80bf7c2178bd2d17154d9ae117a556956c170

SHA256
53d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799

SHA512
b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
107KB

MD5
299ca95cc038a95290e1110e037c96fa

SHA1
cb9cbfd904623ab7287bb019c0eb0c48bfe5a4e2

SHA256
9847c0208b4c74a399438b062467820f9023534a5358fa5d6b28a4b0c18d033d

SHA512
6b61806258b2a02aa968c0ce55429adf5727af4420547532c9db10ae832f1e3abbf70d08f6c69e590d1823b6699685b0c153314ce113bf85d346f4dba0c97cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
16KB

MD5
1364101ded1889e3918dbb0e8fa5324e

SHA1
5bfb724d497c1033bd37073e6d2bb4bb6b5433ad

SHA256
310b6eb28fbb33575ef7da7793b6661abbbedcb9d3ff1e1a1bae3b8138667eb6

SHA512
4e3ac33b0dc4ce859e26841fd13e4a9f72b990f31d4c65ceb60ae7ae301a72dcc6c0e7296e5625afa0d58442d301079297d4708d1686111041243922c561a8eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8b05a4fd5edf88cd0526aa65d63e1721

SHA1
08511b19bbaa716cb56fac16bc42c04e9a1ef6b4

SHA256
8c409d5ef6624ff7b491546bc3232270c85f093405b9bca6d8fd539c9a6fe7f2

SHA512
cfed99a2b9450535b17d71935d1f90bc76f43c5e17c55cf1eee9798f0c8db57acbf3e59d75ff57eecf070e15a78111e4ca992f7554e1ced5a48c216577914fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f35095f1f4e2e0e6a7af310c169c0082

SHA1
c830b74e9abc8632da7fe1b96a1e6d10a1fd2d57

SHA256
8c33c91ad66a183d6a2e4884d9ba69769e38295bce461620b8243480f1c3c3be

SHA512
8241d91f94a80d44e824474ec1e2d3e785b2d2653b55e3ccc8f347d81d848a8b094e18e3957c5a627251558c966d0756b6b47938d30ca46cc65fd10125699795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
62ae2a2b6feafbc0ad211b0d4be98749

SHA1
765c460f904709d8a7231720714d032122e3fb5d

SHA256
4752a946eadc0eb602b51597f1070911b79de272eb1df2f8e74fd40540f605d0

SHA512
1084dfaa0dfdbce0bffd7c9f55a94cd3123b5d674d683a175695697dd266a098dbecd44b968a027bc6c68d5c94d42da2eacee51ade51f316225dd8e9572a238a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
63bf550e9b24277e38d8c96d10b4edce

SHA1
27a49e34b5393fb14f6ca478f0cf3ae025b8e079

SHA256
518e05a12550eb675c92f0043f0ec4c6be196d3440a458c226f62932f088362a

SHA512
15f812487e75368d8264242afe98b0ead942d064437f6d0bdf26b01b6ecee09ceb2d65dc6dc1bae60d45f11fbff102ad0d64968fbdffb16eb17fde154f61d50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56082d5f78a8d2f28d7f906c04a5f16d

SHA1
95a60b9172de4c19c467ecbe8e4799983cab0146

SHA256
fbb5a4941d4d1b98a841036b9d1f7fa8da75d9b5c1fbe17027a5b785d352b514

SHA512
085b3bd4dfa2a71a1fc391d22c4920f9a01855b6639b3d5e40242b2134cf09df80107b2fe913d24706238adeca2261a6a292fc1ed2e9341c5c99bb54a6a2907c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78e125e6fbe892bedf8b5d4d8e7e0d40

SHA1
030f58e2c949000267e2bf62dfa0550ab7958170

SHA256
150e817e688c2c5642a420e56429546d942af16287cfbc42cd50166aeb7b8dfb

SHA512
a241d56c5809c17a55730a69d9362647dca0a15d7e609e95e4d163b4ce79cd58c20347907dc5ac2388d40d286a2fdddd74e02fc6dd71b10dedb21dbc91bb55d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6dd64529dc95efbb4176223f6fde73bb

SHA1
392d8f2127ca0a3f60177544c44388e13505ff1d

SHA256
0a9e8cc19d2685f14dd8775a91d82ee0ac890e21125eb58f955a92b9f4effa74

SHA512
eccd90d823bf21b5e7a5ab12ea9de898ed6612749af59222382843c504854c4818f0b6db556ebe92d4b326de0a84b86e8674db1fc9cf10d3ff18098ed33ca95f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10b222747959cbb048744bf34d6250fc

SHA1
865d001643b1755398e9e33dbd6eee41d7cf3ce8

SHA256
b354ffb45ee0ba8af7b63a1048dc34e9b824d8c77fc1406f334f434d21a11066

SHA512
b7c90c4477cc7d5dafdf67b4cb48c0569cac86b3a1adc8b3be45e19c67cf5847153e3f4c8b1cb7104764574a0bfb64afac5dc726bf619cc18e8f46dc6e2e8c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eda899f2fb2260afa3ccfcb96b769c8d

SHA1
2a89b3ce1ea74b1f673780cc65ec245619c42e24

SHA256
bae61f69d27146700e0bd771430833d3c4dced06ca6fad4d83e76969b6d7485c

SHA512
6a94a5f9a5117e3177c40717e4b128bb819d4d6bcb2fa87c7826829dbed622ca01202602b512b8b09fa98caec4a5ed4cd30aec74bbe3ece4b298fff691b97572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6ca62204d02e936f022c1d6539137ee9

SHA1
d89724023fba0a971e5aaa4b5ae30f1a7766ef9d

SHA256
eb61246a40a817fc356490b3f9c68560f6d2d2a38c90fd1c091fe36bf0464e3b

SHA512
a57ad93bbdca3006e1d34db4336adc72cf40ae9050716097e62c889829e40fa6aefa1f9a5198c097c7a5e9d18966b7ca8ef328fb86bc4273deabdc9e3bcdb79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b75d5b53b684458e2e504ca2be0459e3

SHA1
45347de25c6c5080926ae8b8e6596cea60d80e34

SHA256
31922e1da9ae122bd2dfa31313ff9afe302f9b57ad227bcfaa9290f7377ac366

SHA512
64915f1910c9d6a3ea70c0ef0b5ad7a92378d26a72f829bc7a6f30704ddb2de28a9727e37fc792ef49ac41c71b6e8b405e73aab71841dd7bd14515376d62a6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
55e8565b79d43af0b6c9954672b665f3

SHA1
30c312c1ca4b0aa1bbba7431ef85e7a8c9cca8f0

SHA256
9e77c14687d512a2626c6e7dabde89ba4a5854cbdc310be9344e4f346abcef77

SHA512
9ac2ef3ab3ccef80475264477e1770c2ab9d27bc6b6089a4ba7950d49f5eceaf1abf72a792f8c2c9f3e47b4e31f31591a1d8b2843dc39e4a2edf200e95c28413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5804fc.TMP

Filesize
874B

MD5
a463c28d491130211b07f4e618fd87a6

SHA1
671406de3ebb05d481da9039d728ed928c7bccd1

SHA256
ecf11943c76811995efd2adcc897561bcdbc6d8330a491094510bddc02b25be0

SHA512
61a60a290b87823149c44c71541e8517062b9fa62b49158132b31b33159775baee2706eb76c418ec67601d1ed1a8783630108e42ce4b515087262ec8e7c79449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51cd82f67cf5e8bde197005a99179b82

SHA1
8aa9cf1485358c34afcb97d12ecd8add6421f168

SHA256
27222404af1ec2598e7542fe643223dee631b6337ff2d9ab3732ee2b138f1dc7

SHA512
2823bcc2a8ce5e979c26b40c57d6fda7c3810286a51f24c3bf44ee2fa7e2885ef3fc78bd052bc9aa28f32f551af27dd119537e259f89da84032bfd90c964d481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
601ddc0c59c870d2713b3f24ec61d7c6

SHA1
835e13913d4e8e1e026461570a971b37aca320d4

SHA256
a4cf9d25ede7fba0345d76da3445394f5815f3ffb5b0c5c603737fdaadbf0b61

SHA512
af71126b5b167ab7ce8838979030a3c2c678f830f84370d568af904f88a2dda2928e9770a4008951a365eff013d0e97ad72d330d42f3471e8b0fe610605cfee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0f59cd38ce04d3fc8776adb71d45ea23

SHA1
5017cf4d9da5ec04694553f87caded57ef630f5b

SHA256
a4f81c2ec16a4e67e65b288cf106991e314646755adbd8b1ff614a64f86b6ab9

SHA512
0c97a0bfc8ee6e6b32172b46a8ce68fc823e4ea10674f4cc589660888115a5bc66ea27e99de5571d00a34fefc033935c72e23962bcffbe966bcce0585011dbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
a88e0c4b16987b697070fbea652a8781

SHA1
d417cda5d536bbcc1b21fc562ee6a8d59df1c3fc

SHA256
7034e130bd8d096b21c6ce4cd1ac9b3ca45358d81084c4f9f2455fe017a36d35

SHA512
9f578fb45bf1ab5cb669f4419f8fd284df4c0fcbedeab5db2e821408ca8d70f1d0a1cf1bdc6cc4055382463835d7414b2e788adfe7d77acff937a8cd297f9e8e

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 667834.crdownload

Filesize
2.7MB

MD5
1a30d3c69919c1d7eb1d298f37426294

SHA1
be18611bcbc14c11aecfc3589fab1079a0dedf72

SHA256
c726cbd18b894ca63b7f6a565c6c86ef512b96e68119c6502cdf64a51f6a1c78

SHA512
6e00841a7192c451988b0a907e0f925d369bcb458366e86ae76f313b0d69afe57e40db137da45ba1cce7eeabf3f61e0e2fdf7d5de119a6405fb446ca22d41e4d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 881426.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1476-296-0x0000020F4F550000-0x0000020F4FE64000-memory.dmp

Filesize
9.1MB

Download
memory/4936-263-0x000001A198E10000-0x000001A198E2E000-memory.dmp

Filesize
120KB

Download