crimsonrat | e7d2e3ede3d3f5c6a83e124f853b69f535c261c47f1cf03e5d0aac518568966a

Resubmissions

06/02/2025, 23:27

250206-3fmf1ssncj 10

06/02/2025, 23:11

250206-26kvfaskhn 6

Analysis

max time kernel
97s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06/02/2025, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll
Size

195KB
MD5

b0513a2e9f11f2ebc7d739e84f9f9b98
SHA1

6b6cb092ee713f0caeebabec1fb855c95dc78445
SHA256

e7d2e3ede3d3f5c6a83e124f853b69f535c261c47f1cf03e5d0aac518568966a
SHA512

a9abf6abb993b9fb0baa9edf5a02da0be5af38e404021b9e0483b7af49f0c50aa2529c2a4b567f623a050b218cb94312224f3b7d4260d49e48598a0b6c982123
SSDEEP

3072:5A2UsplBHR7MBcf/UAZ7M37Dbnz4j4hEvDAPxTgSkRRq4YT+R+SrPI//ou77Z:q2UIuyfvZE7v8j4hzgSWrwY

Score

10^/10

crimsonrat defense_evasion discovery persistence rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ac65-553.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
53	4672	msedge.exe

Executes dropped EXE 6 IoCs

pid	Process
2820	CrimsonRAT.exe
4424	dlrarhsiva.exe
968	CrimsonRAT.exe
1064	dlrarhsiva.exe
4988	CrimsonRAT.exe
3432	dlrarhsiva.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xkuwenesanuze = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll\",Startup"	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 133426.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5116	rundll32.exe
5116	rundll32.exe
1660	msedge.exe
1660	msedge.exe
4672	msedge.exe
4672	msedge.exe
1064	msedge.exe
1064	msedge.exe
312	identity_helper.exe
312	identity_helper.exe
2296	msedge.exe
2296	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5116	rundll32.exe
4184	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 5116	3448	rundll32.exe	78
PID 3448 wrote to memory of 5116	3448	rundll32.exe	78
PID 3448 wrote to memory of 5116	3448	rundll32.exe	78
PID 1660 wrote to memory of 3188	1660	msedge.exe	84
PID 1660 wrote to memory of 3188	1660	msedge.exe	84
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4792	1660	msedge.exe	85
PID 1660 wrote to memory of 4672	1660	msedge.exe	86
PID 1660 wrote to memory of 4672	1660	msedge.exe	86
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87
PID 1660 wrote to memory of 4468	1660	msedge.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0513a2e9f11f2ebc7d739e84f9f9b98.dll,#1
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5116

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff971253cb8,0x7ff971253cc8,0x7ff971253cd8
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,14938451440594200349,2248544025234021288,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:2820
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:4424
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:968
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1064
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:4988
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
8e0f23092b7a620dc2f45b4a9a596029

SHA1
58cc7c47602c73529e91ff9db3c74ff05459e4ea

SHA256
58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034

SHA512
be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
76e8221e9de8b177d89bd04cab2822ad

SHA1
7948d04aff094cd14f9e1abcbeea47c89bf3d637

SHA256
6bf4d274e005329fcd78b28d189ce5ccfbc7cf61e532b10ef14fa01a22485781

SHA512
6dbaa7f341bb7bc6bc8adfc8609466434e2d3244cf053db59d9115b08cd8c9344c91fe4115aefa20d0eb40ef28fb2db6222b007534d9c0ec6972af6b25594bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
940B

MD5
0a6c8e71ba0ef69d68f3156053b78314

SHA1
e9084503849fc8d1fd563ac668090347fa124e24

SHA256
e27ae5c84f453cf099e749f343a54c87bf63bb0f8c10c976bd21cc1d41b935b9

SHA512
c7f64fe9102f403fac95b1cd0845cebb05ad825f293ea5589b23a9b1696d5cda96e9f0c9354a70d2069c74cd0d2fd519484d95ef58febef62126ceb76238937b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c2427a4abec5127648eef63dd60f20a8

SHA1
32667a0db3c9060260100de757d172e5cbd6a56d

SHA256
3e56ab829c69d318401727c2f2e8065077373a1e5d4fff1f7d776b2dd7e09196

SHA512
dd989a650998353c46610b854475f15814866bc597c6333dbb02e6724c7b4cc94a7ffd3c4caefcbbc58e55bd6a7719b3f40d30634d2ec5e890e0be939c09aecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0eb226ec58d221ee924259def2fee434

SHA1
8cde12cb6f427d544ec77c7d905b3f9215132965

SHA256
f82a0d81529abd1170cceb5b260b0e1cbd04287e23ae84848f5959ac145a747a

SHA512
30e642fac60a240d3343bf467eff13893ce13cc3e35417acf3d127061a3cc47bd3a96d2e9cc5763a1d78a54d2ff87934ce3e6dd366ad16c02e1104a8b443154d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40c01f6217311f186306bc4c021d40ff

SHA1
fbaecf77f76f020933c9baf4dc9dd703042f83b6

SHA256
1a45b32cee99150944165b9c43caab4cc436983d81518907633f10363b31b08a

SHA512
a56930cc5cecb3a1e90fe1df27ee90d1c6456a712bdeaabe6f05a0a3676bfe361af479e348d1f075c9e08a67a9a89f75c9effe705784ad47cb6b49dee2b59af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
edec659aa190218a33574f47366a3aaa

SHA1
b4d6fdb633827d623ad4ae42a0ba861bb0d3a68e

SHA256
7a9b1fd75a2d62828ce3b5a91fb9fe2559337d05b03bda0abaf650e293d50e62

SHA512
778a8617f35994508b246c7d3f2b5f0761806ec6f054a8f7fc568e0d8ec57c98b328e8d2aa9639b36a1064937d54341de7a13582a67066b3b1f7c456b681747b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d1f2ea83924453be3d9f97366abe3456

SHA1
dd66e9578384ccf78f33f54a4aa37edac84aedac

SHA256
be2427406c229dee798219cf2141d61fdc70aafae302387eab8a14fb7c1f60c2

SHA512
66ab63905e8e2b57d75feb7469f9954aaf43f60553c9511c8f6e2d7de959dfeb403a048ff202469eede36e45cf4bb362b417116a2544c3bc9656cac642c5bcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4151583ada0ff40cdbb6e9c12de283f

SHA1
7e0ba957d0774ca9245199a2f2fd78da08f32b23

SHA256
592844368298068f89b9ffc9cf2ee465b78a88d3504616aa5b1ae8b6c0746d33

SHA512
f854789c9da1f241a2cdd2429a40cadb1085dc83ce8dc25b16f0a5a591f543341a1fe4e1595461967b4bf3d6d900f1defe5d2b421e180714b4fe629e893ab429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586a6d.TMP

Filesize
538B

MD5
bf179ba23122f3267c8bcc342c9d01ba

SHA1
0bcc00ded4216dc84705c188a2c871cb6bb1edca

SHA256
953d63001dcb8e3626a99f5dab91f4caa44d4d49aec976c4877e1a1e1e805f33

SHA512
104cb16685315f6bb536f7372e36c2dded7033a9ab0a84aaed3775b7ac9856bd9776c6f78880dfcccae04066aac898d8c48c19a6fc16b6105fac7c89761b3d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e08fe17885aef3ad63995eadb44e1dbb

SHA1
ba4352bb2d80931245d75b625ec7f09f79f7dac8

SHA256
f39f31337cacd80101242eabf5fd23aa7f891c52acd3430b004139d6cc6a276b

SHA512
13bc38da980438641c4b32d8e2198d2ada869b6b38a78d30d39123ad7e784a8c258762730aaa1d3bdd55c041e8a746153f8a11e40459107a0b6595e5473b66bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a5e8d8eab12ef2701c0162a04959581

SHA1
08cd78b70746c582dd7388cab259eb3722ff8748

SHA256
9792e26dd843beaa0235ba739ca3054ed211849789f99c46731fec1337f262e2

SHA512
486cc698dc95a504d2c81097142f8c6c3fe19abd04841315d507fa071949319a948d5accbbaba0bfcf5d1c295bdd55436a9065859d609a17ae7d5c46caa68c86

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ad7a569bafd3a938fe348f531b8ef332

SHA1
7fdd2f52d07640047bb62e0f3d3c946ddd85c227

SHA256
f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

SHA512
b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 133426.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/2820-516-0x00000182A2050000-0x00000182A206E000-memory.dmp

Filesize
120KB

Download
memory/4424-562-0x000001C0DFCB0000-0x000001C0E05C4000-memory.dmp

Filesize
9.1MB

Download
memory/5116-0-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/5116-20-0x00000000020F0000-0x00000000021F0000-memory.dmp

Filesize
1024KB

Download
memory/5116-19-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/5116-3-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/5116-1-0x00000000020F0000-0x00000000021F0000-memory.dmp

Filesize
1024KB

Download