crimsonrat | hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye

Resubmissions

01/03/2025, 12:05

250301-n9ewpszxft 10

01/03/2025, 12:02

01/03/2025, 12:00

01/03/2025, 11:57

01/03/2025, 11:54

01/03/2025, 11:51

01/03/2025, 11:48

01/03/2025, 11:46

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye

Score

10^/10

crimsonrat defense_evasion discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aee5-331.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	5308	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
1228	CrimsonRAT.exe
6064	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	camo.githubusercontent.com
33	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3517169085-2802914951-552339849-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Pepex-B.7z:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5308	msedge.exe
5308	msedge.exe
5188	msedge.exe
5188	msedge.exe
3344	identity_helper.exe
3344	identity_helper.exe
5524	msedge.exe
5524	msedge.exe
6092	msedge.exe
6092	msedge.exe
3932	msedge.exe
3932	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
3056	msedge.exe
3056	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5828	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe
5188	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe
5828	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5188 wrote to memory of 1376	5188	msedge.exe	81
PID 5188 wrote to memory of 1376	5188	msedge.exe	81
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 3784	5188	msedge.exe	82
PID 5188 wrote to memory of 5308	5188	msedge.exe	83
PID 5188 wrote to memory of 5308	5188	msedge.exe	83
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84
PID 5188 wrote to memory of 2028	5188	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Binaries/Ransomware/GoldenEye
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe84d63cb8,0x7ffe84d63cc8,0x7ffe84d63cd8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:820
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Executes dropped EXE
  PID:1228
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5800 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,2877545404444180870,6871989956483489881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0517a9ec1a0298a87dac0ad50c998d79

SHA1
c01cab2a1ffb6180134315d827709b46d07018ea

SHA256
084f62f24d15ce30e231b1690497a004070932b3618e06d6b26079a489f689a5

SHA512
d9be6c0e55a74137b1e6dc882b0e665cb6c18fe80ff585cccff0bd4fc32923b155b62000492613c861b3f0cbfa8996dac7ca12d66fcf06d1b1d0e57294dee84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
236fd72d944b494ed36178d8c80baa40

SHA1
affaef8eea7ac675dfccc68528f9cc828906d209

SHA256
c84f8f8ff1471655a154db4ba294d245cdcee376bd482f7b433b42f28d4f0184

SHA512
6db4bcd8f81de26f8d5a350019f45be7fe00c3531efbc2cf8e96c696b4e75acc81514fbe10c02410895fa318ec1d2c0bfec429da97451d32d9b0a8c340b2894b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
31f0eeb545a02d79951ad7d16e687f2f

SHA1
03b9850d7330775f2002e3c21790b86b2c2c7360

SHA256
c94b89095aebd50ccf09175d89c0987d3ff94e9a132deb71ef19d9508541ed14

SHA512
a610eaf592a4e289932ca3021eb724d624f79bc42c0e497c4b1f8a91290c1ca2d608b03301eafdfc30bfa65f70686db28322bee4c93d43001ae049c2173780ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
486f305a90a456ee245f58c283ed7075

SHA1
ffb22f995cbc936b3a8ad34ff3e0ac0d94b02d51

SHA256
94157b6388a91a38407aad2ffe09238b41eede735416fd6c208bc0af6d1a8b03

SHA512
65146c487ab665d5a3b588b414d51d75977eb72dbf268bffbfa1bed4ef5d47e7219b8b4cfebaf721eb9aafb15fcccf2811e9bb4d9e206fc59b7592fe03dfb8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
49c8405f7b641371c2c9bb3783578c1d

SHA1
3439af403c4c125fa058ec0edee8769213b03ffa

SHA256
1c07e79b8c1034f01a9b1d102090018264ca749f265fcc6a909982d684754ad3

SHA512
7121c90cc94dceb339e37f467b8ffc35efca5781a0623bad4ecd7de494a5ac620bb2e080ff2ba3609d4a26a6b326c1143f4b617d57c2970a7e0d8d646f48d01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
49ad0bf93c2bf8d7086cacc4ab41de2e

SHA1
e40519f0728222fff3302ed674db0ec1f8722580

SHA256
6e7e94b673a9721a7fdb037caae3301311cfdc5350cc17fc2f0ce0e9d57c2074

SHA512
4586cc8c9e7262febf45db54c24b2ef6e62f9d6c1dcf7b9cbf7181dd9727810b93b9e238d701f6ab5e1def7f97cff479000dd751e2eff5d8d8b7cf1a7be61562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0b68f9c8126d77dedef130800d65421

SHA1
c685ffd2ea7196174802ab1f1584f73166ba342f

SHA256
a1a813f3ba471f6d54e7b641ced79d78766ea8ae2af768a798fcf82c5ebd55b2

SHA512
42fd06b13f03e5e3be702abef167e35d89c4603513dd7793aa327e141240f2e865e50b8f906fa0e596450e9276206d15d52705d09a02099fb7b3f068c135466d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51363c7c059776f45c7d77a5176f4242

SHA1
e672ac3d0d8d9ad3fa3c333da2224d0d9e8fc02e

SHA256
5f6b2b08700e2119d6e321820f1c8bfa7dbb5b473b9819a6a4d2ddee27210504

SHA512
38a3b20e09077ab4728e7a93542d2090256b2117e58ec50b4739d22ab365b596e1dde12b8b62f73ceb6c286eef7367332b2945b189619e26f113201017487719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
235cbb184d260e06631fab456f8c5a28

SHA1
bef59eb2e041613ed21b4c5cbf7cd751cdb139b7

SHA256
abaa8c23df3a61be912e9239f4581066e30878efed708941a70b1469766465f6

SHA512
a3dc7c8ce9191fe9b90716058b8a5f90ade16b55cb14b222fa8ae9f63181482f48524290b508a6b6dc29a8b40a18e899f3e32be08d97bceba69d4fb009c1c20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c59d1c127667139cbe85a60c43ac133

SHA1
12e871ab76585456cfea21dd0ca3835919df2d65

SHA256
2054e8f70e456f1a86dd213429bc200a96e325c18bfc2a7a1b5e9885da3c1163

SHA512
7e18231f5789a41fd623659433ae3f5430aea1ecca7a0c3dbd7bce450f6ed13eb56379f2ffb29524917b296c83db5a8ecf8724ec3f462f086a6af4d81fce4100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c1523616ba5f7f12c02b512f6760a4f

SHA1
5448e79713bbadb0786b8431c5cbd5d99a7ad1ca

SHA256
6c0b3c29e14cc32a411e67a1c6098fc9ae9781b271d3edc96cba4408fd41e0a8

SHA512
9d23689f6e22c97b158fb3d54f18ca0bd8086affc1c5b91be01d871a42e7a05a129383af879badee662dea36eca987a8428ce32b5f1105b0f57c04d7fe7d33ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ff218bd4c724a2e759096cfbfe619edf

SHA1
0055a91d9d331c63727fe34f76f7158b62831e3f

SHA256
d0d0a9143239ee39849f67d808c0c58efa825ac2d771113f041965e5c7839582

SHA512
662dce0434694da5fcbb22add36f6c72a1b319de12148322408e02428463311e2e7f41f61c19abc6a50d60a0c930115c6415a883726beee33ec87f89afb9fc48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c4544f8a0b4362735d189a929980e90

SHA1
743ed192281abbfed59d363da2a34bfe0a86a354

SHA256
ee5bad11e8270839efe7bc72df9334fd6aca5322f130d0cefe65d6500d849e97

SHA512
a131d7d394f67a80e782c5fcfc96592a4e64f1670691a895e2d87a9568fdb8821391ecec4066e6330e2a7630182fbf72528932a01240c3faa0bd23d70cd2251f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b0fb1aadd21d7579b428a045d4e7af6

SHA1
075b94d08ab3e4e1bf8d6ecd35d49ee357de6e2d

SHA256
a01ef26c20db1693516c0b538de595e7a9c3e7487b4e1bd123966172e69e3ef2

SHA512
36f3a4524631b7b2a03e4e5b74f18a8e076defe0cd3193f4231c2204c281bba30c2a40d702348e45636ff378c011fab92f4509ad63b9f7943227fc31004d6c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b3fd58028407f08adf7be4bcd8cff93

SHA1
77a8291f562d615af8ea44fdddd85eda129af7fc

SHA256
94a287eb800fa93eb50ff51e71c47ee545b2112a4107b54a54e240fb4bd80a5c

SHA512
664607fc88ab018d7f9b4e9a419f84a1dfc6d1cdc129a2367d02f14dc9bdd4c6b2e323b79087d24eb50b40acb475cba3324157aff6a92aa6fd773b8dcd7817ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07715a23421efde40be87c438184d571

SHA1
ea74a876654c42cbaefce890c4ac308c472281f8

SHA256
1123ed1747b78c9756e218d344ec408295a154b2eb2782a0c32620c88f316703

SHA512
5b4ba3b4ca2eed8ef0763510a6635ac989526359cfe3c1a10eb71722907a99e63f8c5b822aeb132164565a44f5e968507a19996e9fbab298fc71f738faa10686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5807db.TMP

Filesize
1KB

MD5
50601d9cbd9adc30de11267c861bea49

SHA1
ad5712c5f9d7962ed838f53dab5ebd4233a6e675

SHA256
9719ca30ebac630ee34b1d2d8d477e1b4d8023ff9a6eb72736f7d26cecb19492

SHA512
5101859f0c120e280890bd3da4d59c0de2952d8c5027e19a8dd3794e1c39fd87ca71847e121afe2a7ccebcfd38bc6f0b78be8b3b8cdaf0ac3bd0adf97c555587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d62f62dd2a784b201e41673b64ac3e0b

SHA1
472314eb1f17a436bef35980380e5bb4a0ee85e9

SHA256
8addf199a0a80e6fb07f714947c8e8fa0d1f8f9b9a0433a34e3cfda67ec98fc4

SHA512
1243c9537624abdbf776ce760f1612c6627019a2a8d5376ca8388fae597a91fa78ca179da0c8c4c165b27dedf0232f2dc8a53769f047031190a6abacc89a0b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4f77398a8547658575c4ca7fbe755328

SHA1
38d9ad44ae8e37ae5df0298b1e100a2da562c1b6

SHA256
21b5229b3c19f9f40d667bddcf5bbd99863c4336d18552246d7d73ac8f7bee0c

SHA512
642461bdf529f665228aada2a0ef4a33ee538d8ae4ddba200c906a77f655224483263f00f8311996c9ab3444ec69fe97231120f67b54c90a66176e53a77f9969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
35237b9d3c74a29fccbcaddc40228e4a

SHA1
d29dcbfe9764ff5f5d695790cafd399b5231d3df

SHA256
bba3f5aaef1e501274756f67dfc9a2091072af72125bf5a3d0055ebcb8146a54

SHA512
5431817e3d6b979a177e84470106793c427cb13195a345de396de1d0fce77cd8813bf6e5a946c8d985ed95643da5843250c3a586950a019c094f46cfae32a2ce

Download Submit
C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Pepex-B.7z

Filesize
266B

MD5
76c91ca2129fee6d7e754fff2a8e372e

SHA1
ff18b163990a69a8f10b799a85ea0091b037936e

SHA256
fbd46c0ba42cc0bb4ee6e5f359c0f5c2c4499e09fbb7855904c9fdbecc64e738

SHA512
fbcdafdf0fcb41db4256651dbac9b0e00f51cd0e566cb88c01955b7ac9ec87ca5f601f918dcb19f0ba0d611d38b1e747f473d802fd812a9f38f97c3b86cb2e24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 718252.crdownload

Filesize
1.4MB

MD5
473eca3ac6347266138667622d78ea18

SHA1
82c5eec858e837d89094ce0025040c9db254fbc1

SHA256
fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053

SHA512
bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 929701.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/1228-308-0x000001751B8D0000-0x000001751B8EE000-memory.dmp

Filesize
120KB

Download
memory/6064-340-0x000001E0E2610000-0x000001E0E2F24000-memory.dmp

Filesize
9.1MB

Download