crimsonrat | hxxps://github[.]com/enginestein/Virus-Collection

Analysis

max time kernel
154s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
31-01-2025 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection

Score

10^/10

crimsonrat defense_evasion discovery persistence rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abd4-312.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Downloads MZ/PE file 5 IoCs

flow	pid	Process
22	3500	chrome.exe
22	3500	chrome.exe
22	3500	chrome.exe
22	3500	chrome.exe
22	3500	chrome.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe

Executes dropped EXE 8 IoCs

pid	Process
4756	CrimsonRAT.exe
1804	dlrarhsiva.exe
1900	Amus.exe
4268	Amus.exe
2544	Anap.a.exe
3028	Amus (1).exe
4492	Axam.a.exe
872	Axam.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\limewire\Shared\Super Mario.exe	Axam.exe
File created	C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe	Axam.exe
File created	C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe	Axam.exe
File created	C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe	Axam.exe
File created	C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe	Axam.exe
File created	C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe	Axam.exe
File created	C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe	Axam.exe
File created	C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe	Axam.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Axam.a.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Anap.a.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Amus (1).exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anap.a.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133828045346518513"	chrome.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.a.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Anap.a.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Amus (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\Axam.a.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
3152	chrome.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe
4492	Axam.a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1900	Amus.exe
4268	Amus.exe
3028	Amus (1).exe
4492	Axam.a.exe
872	Axam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1028	1436	chrome.exe	77
PID 1436 wrote to memory of 1028	1436	chrome.exe	77
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 4368	1436	chrome.exe	78
PID 1436 wrote to memory of 3500	1436	chrome.exe	79
PID 1436 wrote to memory of 3500	1436	chrome.exe	79
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80
PID 1436 wrote to memory of 4128	1436	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/enginestein/Virus-Collection
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3bcfcc40,0x7ffc3bcfcc4c,0x7ffc3bcfcc58
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5012,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5024,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5252,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4876
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:4756
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5364,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5372,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4456,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5332,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4556
- C:\Users\Admin\Downloads\Amus.exe
  "C:\Users\Admin\Downloads\Amus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=736,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5612,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5736,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5664,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1904
- C:\Users\Admin\Downloads\Amus.exe
  "C:\Users\Admin\Downloads\Amus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4268
- C:\Users\Admin\Downloads\Anap.a.exe
  "C:\Users\Admin\Downloads\Anap.a.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2544
- C:\Users\Admin\Downloads\Amus (1).exe
  "C:\Users\Admin\Downloads\Amus (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5700,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5640,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4468,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5496,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=972,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,10284910245966051371,7073399527219977037,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4092
- C:\Users\Admin\Downloads\Axam.a.exe
  "C:\Users\Admin\Downloads\Axam.a.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4492
- C:\Users\Admin\AppData\Roaming\Axam.exe
  "C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\Amus (1).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:872

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autoexec.bat

Filesize
302B

MD5
3565a089a0f8b2b5afb04ec4379b44dc

SHA1
4075ac633db35b158e4142860a2fd4f331780f9c

SHA256
941689078f2ed21767fd0aa5ad330df33b8a0ac96acccb2020f307558d6087cb

SHA512
112538d7d1af9c02536db20acfc6cea3225341d0f1468ad49ab980a65c74c9111fbf2514776e4e40bd2fbb13d1703dc47cc647b780dc503be99f6fa712c925a5

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4de22aa09764f15b0a0b9bf367ab0e87

SHA1
d2e8b52d2a18faa219041a13a4d6433c31168031

SHA256
dc3849111fce8f2f53ac013b3da9993084a8df20b2ac40eb845b031e33c97b6f

SHA512
ad29551eb00f2c545948592d4827223ab83ac69b239166d56676449ed556dab2e66fae5c60cdc02ccb26db39290f0e1c7c9a7e026acc7598398944419e60ffe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
186e60816080ab772730d34b6d5e3db1

SHA1
32fa340defe8c964af43246e147cd52c9b0bca09

SHA256
c1219cb76ab6a577775cd4969a8778bc28e44b1b20949dff1446f82d58441ada

SHA512
697a174737d04c3effe8a1f0e91c5103155dafb20b0ee87038d3c181b79d1cbfc15351ca46e074fae23776038e2e0c85bbe516187151ceb42ccd5c9b3d0ecb4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
89b05888430c6743e5c674a1a4d106ec

SHA1
d50de685b0647e9ea0c0daf2f91d6f122dfee3ee

SHA256
5bd3a30f9568738896b4e82074369c405343546374729e618133fa549ad44a9e

SHA512
bc02fd4fd9489564c7eabfa482e9743e9965f07c3fde404fc4abc6a6f6216b7ec4dbf942cce767082ea031ee0b234aceb5d6e9060804b03a63a832322c55ae19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e4740eba254bc5313ab1babf43c0ccd7

SHA1
efa5ffc807f6cc60a647122d5439232d75533ba1

SHA256
a954f2cfe47bad2979528c080ef512284b9a26fe9a684f5e86d698521d76600f

SHA512
928b78d10364996b135c9b33720041acbd0abd86eb6af6c81275a3e4ab7635cb0691ccae3804b5792166b20a9e2fbc3b2886e01e2da9501bceb3cc8f4b80d01d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
52e6684f75a7b09d333a96e9a6753bb4

SHA1
449075aa4f80bfedd1a2fd9d90091fd9424271cb

SHA256
db5844115e2bc6448ceb81830202412d38f54dec6ef8c865281b67228b10a2e4

SHA512
9749f6bc99ed572f370c3f7878ac04681eeab4055d7cc3a179ba75e2481ac55e59d2fa2fe9bc09ba5f9c73b83bb9315e3ea1554ab8e8d0e769d13509698545f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2f571abb540d035997f75f7fc1f72206

SHA1
859225f107d388079544e83a3c6622fa51619fcf

SHA256
c63637cc836013411a015232f384c5b10e2726d2719ebf06b94774e26eb10ddc

SHA512
0c72543f80d4bce83bec5a7d7907447fdcebb0735ad4b851fb325871d74d412f49029fc933c8f9bd26c02ef36b627dbfdf2d39be6ecad908a8277ea294bd80b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
252e6c8048548808e1f02c5d2f588019

SHA1
290e18fa5de6dcbdfb1f2527fcfce551e72cbab5

SHA256
646035933bb6a067cab1c93f71b499dba73c319c50f92950e146133393e1ee34

SHA512
857444dc768781d0f0f0b05e77964775783fb9b6d2766422171455e1281e3f406e1081bb9a29f0f0ba374b434df3375dcadd95dcd858058c1719916de7255ef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d707b025064737210c5c1a64b8f10156

SHA1
0c6074bf16423293daddbab6f00685a761544d3a

SHA256
ee9499285079b64ec2787f2ae37de6fc4d0d1ed6379e5adbb8a06dbbab234608

SHA512
b87080a3a39125ad2d8b55e9d5b879325122c4df5628f9ff3be946f871199ca6822515114f73e01bbc2d5e80618e9d6ac23f645675c77e148e49bc5392f02298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8fcd262d99e31af34d69987a41311417

SHA1
bdf1d7a44e2c84f17f44e009c4856499cfe97e6f

SHA256
29bd21ce1f14a7d7c8b139a049d6746b12dba2f8260164ba2349b94400dee28b

SHA512
1420c480d619f839663005d394009710196cfcf7ae08b85c7a1a474958ce774bca577e4aa27babfd2fd76fe5771bb1daba2e03af00734366d58839180f76ccc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b9dcd1cd899231dd846286cd17ba2159

SHA1
fcfeec5a54ed8e83c76999fcfe4b0fbc79629e4b

SHA256
43fdb753e4cb81cf848f3762e46686821c2bc80c6f136355a130bd113dd9c02c

SHA512
88fac946611f4253d9294411df6f744a4460aa2ae7a57c9365b5a2f4037448219e33947cdc9fec5614e7e391915a96a8f5a268ba7cab2e8769b00cc7b0dc3f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cc8e783201ef7895fc1ddfc57fbcb905

SHA1
08d8a36d2ab847a89b1da009b3751907a3ded45d

SHA256
3029d33a54ebcc73b1fd8a90f0369f2c46e80396999312097c356a8967dbe123

SHA512
f8fa5d83d5801d5b458f46037c049a2fb19295ef6d8ca88faeb38c724eba7590bd78054158be55642c3b2e1d70ca9d307376f8bbed394c2c439ed266a5c6836f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
33d686a4f1e6fbaa23146d08ebab0779

SHA1
0ab3409ceb35462c34a835bf9884a15d4f1107f1

SHA256
17b7292a3f5476ba3327df989fe0382352ec00478599ba702f0a6a7d113ed22e

SHA512
205dbc8dcdcb7905e204b23c7ef95cba567d7a4a237f7a785af20e4b3434efd6bc82f3d9b95bea53a63c3725242f9fb6e63824dc7601e5a69549f6666b874f1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e125c2cb203bba7cc3b218d973fc821

SHA1
ba2bef079caeac374135e2ee6740ecfc1a092452

SHA256
04ae71cee9a48d26beb521a0460ba2b88d40c9b57a57902a23b980cb37bfc7fc

SHA512
61d86f2ed6f654e6deca5aba3c258c8c30f1e2427acd158826629d32a4ab6a6f68cff9bc18c011643267a2fb7339ada7deab27fba52ee7d51b8cf19c7740c0f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd5b6e9edd1cf8e1902f43168c41de07

SHA1
9099a0b06c5ebe45359aa6dfc8c655b037858ea8

SHA256
f112beac674e9fc2df61133480ce1efb46bd12cfc7af8cd96e2feed3613373a0

SHA512
47b5c768315ce04d25b92509799020fa5bd2a91330648d13d0ed5eaf734c1c3b7c33b9f41a4764f992e41d9aa8d72012382751a4ba5c2bc2fbe9b27cfd267274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f1f8bc69910432a0cafca4ab72060d3

SHA1
1ce4116230425f235f8379c67da6590da657b1ef

SHA256
14289c350cea361b285c17666a6bccbc969f97431f155e7bf707fa914b5e9616

SHA512
0c1a7b5a8c7bf27aa0061e6d0d353850c67dfc2d30b3e54bbf82fe05c813d9f55e1642cf0fe0178bf3cfb639edcd67864bd316c8c79297bd756017ee71d73d08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c50b252006d20ea7d19079a2fb5c61b0

SHA1
5b6f07719902c2be50261fbc4c46377c1a543f2c

SHA256
a0b528bdadd6a336c95abfaec689cee266bfef64ea13b6c5fea784b986a08302

SHA512
fd948835eac2f75cbc038f8e08a226ffa8db87bed23471594025c188b28a53df9f9316055e4deaaca2fbb7cf244c6b33e812b3fafbbcdce29208fe11742ba86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0fd1ec302c2ad47a79892de8301494db

SHA1
4a5ae8a36dc6a2e9f10e3d6f5ebddeb0db65d717

SHA256
8324c8b6cd5f19f5411c67060eba75d2b3cb18b1ab8db37d47c515a939bd4241

SHA512
27ac1e6dd170070a498856f8839294ee0983fc542f3bf396c589d2ce3d5145ed63f5dfebb8983cfbcd56ca535df172776267b940184e8935bc4a648eaf319df8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2a5791806129c7a16cb99c2303891071

SHA1
d728ccc89f538b2cf40fd7e3e42a9b63f496d319

SHA256
db5089aa90ff53b4361fbcc04c6def6e1a7823709af21c122a96ba588c3ab9c8

SHA512
69ea3f0edc1dd959c74b9009d66c3026c696ce2a2902912ecd7ebb623d8e5bff9379c364e2e4c7908f3981d6348e6f5dae1220fc5196c5860ae1d2da93304062

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a772b611e6a514a5af31e904a477124c

SHA1
e0df7c099df0ed02549cdaf2eae9316eb5771771

SHA256
427511ccfec5d152bb20c794965b4825cdb7a4f63ea657718a1ee8cfd1c91a8d

SHA512
ca3a182ff3acf9548e70350db2d7df6e86dacd1f48edda07f3b087163f0a80be5cc17ffec7147fdde2c70dc2122d38f1fe24679fc6ffc16cc0e86526b850dfe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6e087cefe17cab21b04f4c2c20c75920

SHA1
de91e9830ba73d40e924bbe4b0c2b0c7e5c19598

SHA256
36166b533a4d7b30eae8c8898db30b99a7207af617987e5b443ec0ca1729da6e

SHA512
81d06f3c642337c46ee7ac46fca29b04844ded6593911f57477f29ac85f60e4385455a271b3146d376c0a57db664f71ddcd6bf37b58e8e1aac4ae9a3c4cfad8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
721979feb41a331016fb9e0342352c52

SHA1
f3b9ec5f163830add98adaf8fc64fbabd7d7738d

SHA256
420ba7c8c0c11ca13e53a2baafbb513b69dfe342aacb30fa4c7d1cee5dc82bcd

SHA512
9e56440a69b87d3d9feb86ff4b939617483bde694d1dfb1cf140e97e6c054078d1b6163c9be01ff6d88afcf7c86adb8ed7546699f5175f83dc946b9f39d9bb38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
79b32de7f9ae11db0e1fab67f4494b2b

SHA1
1b0ed74a32878c0016a4445dacd9327919d85cb1

SHA256
ac891f28cb38eafbfcf5f5e7dd68222230327d3f613fc27ecbf1363c75527c2d

SHA512
7fd2850ef4c4dd0eea4f528b22213ac3cf61ceecf482a5fd609eb6541e727422fefc1bba32856c2448f2a142bfa085c7c81110504d2949729747b733e373a8c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
97902ca04b3f3f6d42d5744dd42478eb

SHA1
b56d62c109b76e0a053fe9009fc6ea4e10031eaa

SHA256
6da0f96dfcc1a573e9f6d7cb8044f3fe22392fcf9bf5321dd9a3b01c5dc9616e

SHA512
a3cb2a854e37138e87271e3c9d4716fcd89c7a1910af29071003527da08b4e2a1db1edffcf7a0fc62e400692ad91abe30d873f3be448497a5d678e735cbcc1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3b6bcc6a53800a81ef8558eb383f4f90

SHA1
eaf6cab1e50cec977bc0c43123eb5dd765fb2bc9

SHA256
cdf360eff5e043e6ab4ab6910af8176d547454786a8d181140435cbdac03bf93

SHA512
a701c7d039d90211f790121bb209428bcd3aa118ce6d21450fde4320f7496659c1e221f5e0bba9d1c3723613c3228a4abb37fbfe1134efdd7373152fa4ed56bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
99f6567a511e3b9bfc2d86ad89e33e31

SHA1
f3a0fae113dd0073f77fd23bc2365d7c2610e686

SHA256
c77c32748cb86d20e087e12dd06b8ff516479e536b91ae017d9ebe8ea8ce3035

SHA512
16b1a0005573eca7aa7fa89319e8807b5fec4c444af6ae4c7826fb49b0081388fc192caf087611ec87354f93a1df0ba2a776bda742d40d62b7ae445e13ff3e44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
167ce4e45987835114372171ffafeb72

SHA1
110d4d0bba8c38235e7a5dbea4cd14e48a91f596

SHA256
3d28aa2b580f9c2777f682b49104845867c29c45cd91cd1a2acd3ebb5c7062ca

SHA512
fa8139c9e4f835e3951cbd014406c93bc0e3a5e61b8ade47bde79f4a97257cbd44dc2c1938a61f83f4677fc654d29c805df3a562b3294947023f5613a997592e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
bcd74c6f70345d3c5f5cfd44a24e66dc

SHA1
2a51eaddc619623645f2644b62fc0f9b57d892d0

SHA256
bd77eb6a48eb12c121ff916b9682613a02cf61ce139c7ed6d832260010c3743c

SHA512
c6449877eed9e81d49b73a305e8eeb3762d133af5789c11dcd73332ba9cf43626513968f8cdebc2923117659cc1aed7930223acffa0ed156e8294e43544be030

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
334d0c49b777673e73e9ba6592c0e81d

SHA1
fd1b538b5e3eb6d0eb5888a86c9bbea22852bfa7

SHA256
8e23a63f60b65d8b0d4a8deab98424b127ca48cefc6aaf5b2d19c6126a22728a

SHA512
6dcfbf5f1d64389500753ef27b6359b1e1d5780d3b68b9205f85462146679193cb4859652d96092049fdf798ddf8b50c34c3b4702f407964c9783927da0a08c5

Download Submit
C:\Users\Admin\Downloads\Amus.exe

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Anap.a.exe

Filesize
16KB

MD5
0231c3a7d92ead1bad77819d5bda939d

SHA1
683523ae4b60ac43d62cac5dad05fd8b5b8b8ae0

SHA256
da1798c0a49b991fbda674f02007b0a3be4703e2b07ee540539db7e5bf983278

SHA512
e34af2a1bd8f17ddc994671db37b29728e933e62eded7aff93ab0194a813103cad9dba522388f9f67ba839196fb6ed54ce87e1bebcfd98957feb40b726a7e0c6

Download Submit
C:\Users\Admin\Downloads\Axam.a.exe

Filesize
11KB

MD5
0fbf8022619ba56c545b20d172bf3b87

SHA1
752e5ce51f0cf9192b8fa1d28a7663b46e3577ff

SHA256
4ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74

SHA512
e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/1804-321-0x0000027719350000-0x0000027719C64000-memory.dmp

Filesize
9.1MB

Download
memory/1900-578-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1900-358-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3028-459-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4268-442-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4492-579-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4492-609-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4756-287-0x00007FFC26633000-0x00007FFC26635000-memory.dmp

Filesize
8KB

Download
memory/4756-288-0x000001CE8B1C0000-0x000001CE8B1DE000-memory.dmp

Filesize
120KB

Download
memory/4756-289-0x00007FFC26630000-0x00007FFC270F2000-memory.dmp

Filesize
10.8MB

Download
memory/4756-323-0x00007FFC26630000-0x00007FFC270F2000-memory.dmp

Filesize
10.8MB

Download