crimsonrat | hxxps://www[.]google[.]com

Resubmissions

11/04/2025, 22:29

250411-2d7tha1px9 10

11/04/2025, 22:25

250411-2cdh9s1n15 8

11/04/2025, 22:18

250411-18aa2s1mw8 10

Analysis

max time kernel
77s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com

Score

10^/10

crimsonrat discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00030000000237d4-1474.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
196	3028	msedge.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 8 IoCs

pid	Process
2044	CrimsonRAT.exe
1620	dlrarhsiva.exe
5568	CrimsonRAT.exe
5424	dlrarhsiva.exe
1708	CrimsonRAT.exe
544	dlrarhsiva.exe
728	CrimsonRAT.exe
4508	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
194	raw.githubusercontent.com
195	raw.githubusercontent.com
196	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_150437750\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ja\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\fr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_150437750\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\am\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ms\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\gu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1959431190\manifest.fingerprint	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_1404_1862591231\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1959431190\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1959431190\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\offscreendocument.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\kk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\vi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\th\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\en_US\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\it\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_150437750\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1959431190\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1051079064\page_embed_script.js	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133888841732373091"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{AFB11DB8-21AF-4485-9A78-0E6E50E69BB2}	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1328	1404	msedge.exe	86
PID 1404 wrote to memory of 1328	1404	msedge.exe	86
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3028	1404	msedge.exe	88
PID 1404 wrote to memory of 3028	1404	msedge.exe	88
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 3516	1404	msedge.exe	87
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89
PID 1404 wrote to memory of 1260	1404	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x344,0x7ffc8420f208,0x7ffc8420f214,0x7ffc8420f220
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2368,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2420,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4968,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3960,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5404,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5508,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6212,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4320,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6360,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3900,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6496,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6556,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6812,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5400,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2096,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=3240,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7256,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=7540 /prefetch:8
  2⤵
  PID:1552
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2044
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1620
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5568
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7724,i,13815650062727199939,10816322162706150492,262144 --variations-seed-version --mojo-platform-channel-handle=7812 /prefetch:8
  2⤵
  PID:1212
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1708
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:544
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:728
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1468

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping1404_150437750\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping1404_1959431190\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
df2d1721cd4e4eff7049314710dc7c11

SHA1
f5aed0158b2c0a00302f743841188881d811637a

SHA256
ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

SHA512
11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
6d84fcf0b78f0e2f8edca1e8bf241cc6

SHA1
5fb32d7c58e50621174cde78c41f281ea06f2b4b

SHA256
fb3bc1cbe6a213096a141f9275c184fce040b8c98e982c321407591961effea5

SHA512
32ba08d1654122f0f2bc09c35bff7658046cdb7065d9098f2a026f04f5a0fc374a544a741c0368f4b232c846174dc39a22e434eaab45f43e3030e0357c640904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
67b81c801273fdfe84956ab0e203d083

SHA1
7297527beec72bd76107117da4a779c383353bb7

SHA256
bae6c5cec6b154bc5513f39bc735714c906177deab7201827be3e2943c1e0bd3

SHA512
337c9678f1dc1db6e4dfad11f5b9e7ed58f48e590070014f16677c23dcf0eaf801d933f29250b829b037d2d926d4ae40f4c3562a422f7ec16e81a5c9a5c14a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58028b.TMP

Filesize
3KB

MD5
0eccf826245361c2dc45922e211aaf07

SHA1
e100e559aac1db071c45ad1b6ac3610ee02d9052

SHA256
20c1c1a96d434dca3377928b5593bca3e72ec479220ee0eac81f9633e6ca0357

SHA512
15ff97ba2f6d1666d9ae7ac4a50a36e53753bf9d2567f8a4cc45c88be82c3c6c50cbf33b73bdb86a071a8798a7e537ada3fe6aa83348471f688e12a823646d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\manifest.json

Filesize
2KB

MD5
ad6aacf2ae0008ce3f78d651fe7fba31

SHA1
44c260a2198694c4e1a433e842088585e8aff53b

SHA256
e8e311634917d45b4dea586db583d33b6fcdbc24ec03ab0e41d2366d119f93df

SHA512
216e5788d108b315fe40f9408f5fb5c094c25daed5747110ae87a60be1133c4755a7f04ddaec32f2609a60283f88c5798c2505cec7a214585d4be02a8f0f0141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
b3b394604323a2ac483f73fa9f05a31d

SHA1
460c7a225296cc871d12b8815b0ef2b3b9dd33ff

SHA256
c4be9d2530d9f9b3cabd232101553efc3b40933f44788ac989cc4f8b75e1e60e

SHA512
f867a81d67f5f15d93b23966082d6a378e3614aea98e28eb503b6265ffe893a61fc3613b42fb670e7a26584e118a948adabc32966c3399bdf9bab81ebc20f0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
88abcd15b45930a952e16b0c53b81976

SHA1
7a99d2c556fcc0de25653487aaa3ac55458dd5b4

SHA256
e6ea1551da5c0716eebdb11981e5180a353fab91796937eefb202fc1c1a5a3b9

SHA512
6765a9edf6475f25e0b61f60fa0c0d48edfae5901f163084682a8e7ebc30c68ed5e6c2f8dd1ffbbc340455a5f92792d9a7986f5a570b6bac9aec3c0b87741a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
8c030e8da2d94c3ec18736f891e94ca7

SHA1
f6d28ed5df71a53f41dacd9148896b59a5b26398

SHA256
5a108b3cb9cf1164cc381a9c1812e5e089ff5da1f750f1045577f560ff4d4b9f

SHA512
b827571c0e1eed0f467c84b885dd139ccf459385ab82c79b584ecba132a2a492f561116c6f547b318f420761a041802d3e25c52ac8984c263b71cfe8df9ed91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
3dcbce8c4846e90d732656c54929c1b3

SHA1
7d38d157d3fd9a5b0e3cfacd499050c10e28a382

SHA256
d167e76cd098e7194135e61e58d3c7071a43a4e80961dc6d73a59f33b507effa

SHA512
7d47518287ed0c55c78d0e711e1c7a150980c43c15c63a0fc2b75fcc08f3a938be93e7c62c42905d90af267704f5ab9bc74074fdf8f42d9cf9d5fd2cfa289cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
8d573b3c8ae1c7d7b18794e6b6191ea9

SHA1
9480d8ab9628d5399a2f57dc8ff0f57e45541b50

SHA256
f6a9664d5e7ce4ff9a916d928ad7719eaaaaaf84b0d6ecf9fe8ff62cabec5e5a

SHA512
04ecc17ff850dbbc5d651d0bc1b525f5c3de5561c1792b5c0ec8287f274cc57965ede79dc0f62c1afb85a965d17036d5941b1407966a675233706082331811bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
47586ad3c4cedcaf63cedb8e36d967b0

SHA1
69811cdfda92300968d3d49d7685c6a522da3b42

SHA256
0bf1545d78ece9ce5d93f822c823d4738e8e07508c9043e19c15cd181f4be034

SHA512
c4ae64f727ec45bd8ad1af6ccbc4aced3ee90d68251fe67a974425d5c002491a6e2a28040e65326c54530446f1f9277a4f3607672e4871b6fc321898fb690829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
a7b281d6325421f8e0178e4f463810e1

SHA1
36ccf35df235417ba987f763d306b413d5e40114

SHA256
253de6555f5ae22b646630c9a158f0369c1be443ad5ab2e1d826210d6344cf8a

SHA512
58469586b2bf6c88852a7db679527a14149aa2a3e8cb7d74a9771eca33e3eff1caa5f2dac85377d4320639ee13843da2ea6603a2c2d2acdcf21d03197f55510d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
902B

MD5
6f59ff9d78b867a6687de0ef135e276f

SHA1
30cb710bf525d370fd0527c597623a7e1f177ce8

SHA256
985c348fe2566c9663733b95cf46d8c38842fbecb4016d8b271ec9fd00c8b712

SHA512
42cd61db037745edae34d07a812a9ea71693b29ce8e77bf86bc66f45f01c6ff2e2c30e586e4d8ad0a93f6d8c59d946b2fb39f2ac6ce908962c6d3c5ad8a9c460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
7dd8bcdedec569cb76f07f33a1ba4ef5

SHA1
4a0a5c2018937074ea67fbf2eaf24f2265735e6a

SHA256
6c6a5850ed7bd32bfc8d1404fff10c61f785b315aee668bb3d32c2b00cb21d00

SHA512
691a2f2f8ac77d3af1120e9fb2c5d15028c0813ae8e047c204d28184a6b60a923d5f550f5a87b36c0734b019af99bcf5013f4297aa043ae65675121ebf4ddb08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
bf76a13e9f47f8df3a704bf16a22cb71

SHA1
aec57d7c175206a01f49b1ae848f0b4229058cd5

SHA256
de10f7f1ab7765a4b68f0977b76aaaac25d15afa0d5d9da5e674b4538000ce1d

SHA512
eaa824489f5f2555520cc6c06cd3226ec4ca9758d32b7261f0e3eabca84347abc83d65216e1274cc1ef26cdb38a5a3f2a5a329ae1b91cb4d362511b9a26f9ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
a5ff318ff3d94a46d2cc26e5448920ad

SHA1
01a56bcf1f3396a78833fabab518ec71e40d3ce0

SHA256
5cbe6ee04f1cbb25447824ed84087ec9ba67ab0b02568385ac2a6550b7d68e9d

SHA512
336aa680b7820978bc8df11f14291c0374796e0d1b10ad671ab5d8a9656405c5467d0625923b874e9b7a615f35a94ea9d49ced26b54f6cbae0102e3ffb06eaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
5483237f5395b550e8cdca2ac75dd48f

SHA1
d21f186144628a3c023affb811782c9bf3a04aab

SHA256
7173935eefa05659fecbeb224a2b628cf1fd871b10b977f77b15d3f7c4633eca

SHA512
a1f456796cf71dc07684c1f6dc2e1ac89fc84d0f6a00af4754ee00dbf3758b6b27d98cb1e5feaff9d8dd7f36eb56597b53106d3fa0b6fddb4b9bb1737678fff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
84994b311f6731cae1f8217b8e5d0f8a

SHA1
fb5ccfe565d2ff02ee589689f70b8d77e3487665

SHA256
42ffd381fa72313916fea2c0b5796eefc8c3eb915aee19fcfb22116c94b91712

SHA512
6ff58b4e3faceab6283a458698ac1435fd2293ea450838dfe10268edf774b08710e99a67fe378490e1f08dff7f88a476cd6a5f7a09e0908a246df8c7b8bc4c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
edf7ece314aaf552805dd78867784ded

SHA1
6dc9cd954212f4e82f162d6e5c98331c5ae4591d

SHA256
0a0246ccc58b3f2ee19825eb2f6b42ed0c4f81b3beaf81786ad515d06a82560a

SHA512
c5af6e8b346f3be70f80c9f68b594e57a85d7d5cc6f46e29120baee5d1d657a5d36bedc486a1e1181b8e0651ee007275dd3dc9e50ab3585ab378e0117385bf7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe581df3.TMP

Filesize
392B

MD5
2d71dbaa887a732e29ba803960f25efe

SHA1
07b250b6091c49e3880b50bd725675b7ea681952

SHA256
cd374d1bf61cf3b5a06df2a483795d39a39058fbb085a1c5123f7ddd7a45302e

SHA512
ae966910b34adae7f23b87108e1a049177e1e86bdcfc457c933f61303b2ab6a6d9f631e68c857e46a483d82e391ea9402d72d71d80f239f049c4a0b64d71993f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
4888218b94f78ec6fb24710bfa0ff279

SHA1
7b6845c3d5ae328cf1c51aebb85f1103e6b962be

SHA256
0849718acc69c4b56f6ae42dc342647e0da66eb5ffbd60acf05487321c4e183d

SHA512
c64d9d4a80689fbcd7dc8a07c4eb95079407b13c965f64bdc43feedc832e7854c6c9d3a0e3025456c67b7a7c77d2940f57292b5b38f61f58959a845765008d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1404_1179228558\CRX_INSTALL\128.png

Filesize
4KB

MD5
35696aba596d5b8619a558dd05b4ad40

SHA1
7ecc1dad332847b08c889cb35dda9d4bae85dea8

SHA256
75da533888189d13fc340d40637b9fc07a3f732e3fcf33ec300f4c7268790a62

SHA512
c32f20865f736b772844aaa44572369e7ae85b9f2f17f87d61694acc54487309a32bc4830ed8d9cee8b593babecf728c1ea33c2b9588649be0e4f1e6ed7ee753

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1404_1179228558\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1404_1179228558\CRX_INSTALL\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1404_1179228558\CRX_INSTALL\manifest.fingerprint

Filesize
66B

MD5
015da6c5ba421643a8b70f607769bdcb

SHA1
3b0803a9c69a41be2a07d1c85fd0daa77b3e6fb8

SHA256
fcbe092bb1f107fdd3fcd5b611994c65db5818f11c76a63fd79a67db09c5cb72

SHA512
c57d19088f0b46a483b86246ad2090905308327ae86ec9815588291b0baf0e0af94f3aace885be4b94d0189fd672a4c8e512a188cb0e2bbb6d0dea46805c2f01

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/1620-1483-0x0000024794920000-0x0000024795234000-memory.dmp

Filesize
9.1MB

Download
memory/2044-1451-0x000001E821740000-0x000001E82175E000-memory.dmp

Filesize
120KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads