2ea93fd81425d720cdfcbcccfcc878f16f5e870139e14b851d149679ec82375a

Resubmissions

04/12/2024, 19:24

241204-x4fqgsspcn 10

04/12/2024, 19:06

04/12/2024, 19:03

04/12/2024, 19:00

04/12/2024, 18:20

04/12/2024, 17:37

Analysis

max time kernel
640s
max time network
613s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

dcb9d87a83da8972f5cee58389fd1805
SHA1

04288b3a9f36616088c0111bea2473c8a32a9756
SHA256

2ea93fd81425d720cdfcbcccfcc878f16f5e870139e14b851d149679ec82375a
SHA512

2e5cc2973b00f2d9688c4cd051c3b40073828b5e65fbb4cf24f0123a2c262c5bc09e8383d4a27fafd4acc96c380d9b7c646176d4d92c77f337065dd69acbeab3
SSDEEP

384:X6CdeU1ocy4K4lbGaIBvhpNC9CKVlObz6r0sZZfk1xCejiw:XVdZ1ocy4xEaAJpNCCVbz6r0sZBexPiw

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabezat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopPuzzle.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
4108	msedge.exe
4108	msedge.exe
4440	identity_helper.exe
4440	identity_helper.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2284	msedge.exe
2956	msedge.exe
2956	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 740	4108	msedge.exe	83
PID 4108 wrote to memory of 740	4108	msedge.exe	83
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 4372	4108	msedge.exe	84
PID 4108 wrote to memory of 2872	4108	msedge.exe	85
PID 4108 wrote to memory of 2872	4108	msedge.exe	85
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86
PID 4108 wrote to memory of 1408	4108	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3e7f46f8,0x7ffd3e7f4708,0x7ffd3e7f4718
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,6432208267245803842,5252378346866172958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3692

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1652

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4488

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4760

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4764

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
1⤵
PID:2412

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\DesktopPuzzle.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3cb6468d8adc5c1ddaf8cb5e529a9f5c

SHA1
10afbb832c3da141f2b543d5f1082106fbc6eb29

SHA256
7bf3562419655ac723a12583d392c1b203e33368317c70f578766659dc411534

SHA512
9c1baa07f88cfa67562d1dc86f2c45e4fb54e8fd111fe6ab45dfb073606b386ef7298beefc399bddbb2c4f4d10e00fdfb0a36b2f8b09c7a33a1a56a18bdca945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
934B

MD5
aa4646192e9384b80a0eca399ef5e8de

SHA1
59e8d5c260f77415dfc2a97e9a4654133f8d4c3b

SHA256
2a6be8f750a33a3915771a14ca92f502a153efc36bfca66564c9b9d239156026

SHA512
27bd7ad6b21ccd58062ccf22d34a9ae9f8dd96b3f17948855035b09c93baca8c99c8b7feacbdbc2e4285f5fd0f537e522df80fd02227e5c65589a6fbc7a052b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48f4bedb1f7fefec2b1fd25a1782cc6c

SHA1
7aa88d144e1336c0fb7cc2529b9749a86ee75523

SHA256
e0e228c424046b234af5b1d7f5ce75f40b1f2e90a3cb9b950ea64de8dd49890c

SHA512
e9fcaaac6266ed1778f2f9dc1c593ac90149f4f4c1d079837e493adc1d862ed52a73b5303cef2da7fba6a4a3ba376df07f5832f3093592dc0f33e6fc341ae699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
676a3201cf61116e2258daee869d0920

SHA1
d9ed9a3866f621013d70dd6126c42d3adb397a9a

SHA256
760b93691ba05042d6ece9b9ef54cc7094043e0f654445c0d4a02d70d12ea977

SHA512
7faf8b834908e0e52cf9b36ea25b46c46f652f936ed377ac26ce753d9f04e7f25fbd480c9d18100be0cdff7a5a282080b3e50178a001fbd4424a3dcb3d5cc336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab1a9bc3f261b5bed99090ce0344878f

SHA1
bf174c47594dbf68745d77380c26f0dab0fbec44

SHA256
8662584689a8a60ded7c5c1075d25bf4593357e7061d8ad119d30c0de504faf9

SHA512
3a3f6b73dd0b3daf95e8a2780cd326173d6c9455742aad5094ad45ffc83358b938f5391bf590881b6a483165742042497de872289c2463235937e74fb0c91c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dabd65b6e8a3e9171fd73a19c9816838

SHA1
b4612c270a12e3627cb2c67c8c8002e6c678e2ce

SHA256
be9f4b75b5109701584453e0ee1274e6d79591be949fb4f77ec793cb204134c1

SHA512
494e286b67ac6ea561a453b94e781c0842152d9ffb1f6688928188d3587a3b73c6aa06528a35c2ca3c094614a0ceb75fc0a6ae589311c6b4c2a9d7daf73abf4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b93c6f6ffe7d2dbafefdf269baa74a1a

SHA1
7cf015efc973492a97e0d25170404034a44954c6

SHA256
efe338920f63c28ce63678bdf29e9a89024f1c51e75e2b23a3314637c2899c9a

SHA512
c801bd6c31ff8aef58ba6641d8aa22ef79b22109acbbad725842378da3148d5aba6188e4f43d930d40c880bdda4c674ba617f13e0bc2114784e2aad04574c20c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f21b6002b6e16ae0e2229e01cb9d50a

SHA1
9ba94e0d11d77035c4e2d7f7cfdcfbc90b9641b4

SHA256
c7abb0c30f8c7df25c00867fdddbccc72606ee234d478262ccc868e1af4e8af8

SHA512
60ea35b06fc4efb23a67ed0fb02ffad113d040bdc1d8a0494cfe6d7b13fc36e6bbbb7fe7465237318aec93ff98ce092873bdb47dc5f0721cf9b55d41c800c013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
072004463e2b8addfd707235a3677817

SHA1
014f73560a86e8c45dd0593bc03bb7e3dd7fd643

SHA256
2790385810f511da8e4d880422a989baeb6061a70eafd95b40175a7b3d7df78e

SHA512
a2016c7e6a41d868d5ae396a570e77499262f7f1ee83f0bd8c1585336622d82f29dc349ce96cac4cdd604224ef17cd7143fc8efc33b436966e14595c42d4594a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a498.TMP

Filesize
538B

MD5
3a674eddf2a9bb6805d32c9d50c297c6

SHA1
4ed451971e9c5a68266d70cb9f04851075904b54

SHA256
8e7b2e2287bef763cc6688f99e7fd9f2557071005c0db582216c9fa759fc140e

SHA512
f31cf81fcebd22bd4e0ea9f3c15115018fe7d2e48becb4a0f5c6cd0290e2fecc7b36982052909bbc2b3840b1ec0ed494ff4d8c1c8ba4261936edb5365be6fa27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9de6e726d5f2ae43a233a8d6f7ce2d98

SHA1
a8161d5fcdf5b016acd7a08b7abf5e09c2772859

SHA256
48757209f83c9efc719db87713b4feeac3a14c5c50970d3955649b6ad1cf8cd5

SHA512
f832ae1c410419a312e7bd8b6a246a736dea1b51d7873a9e2141f6a261c520e0814023a32a09a120d5df3485676f1b1c6be04b06570faf97ef640e331e591070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c8c13b916c79c7ba3813bdd70db5de2

SHA1
844258135a2e3f680f23fec64e19fcedcaf0ab4a

SHA256
2caf11d45befd81ea1327dc57576652ab8492b22cd3026d9451d9470cc184b82

SHA512
1b0a91e21d870a364cd763d1bfd5a64b4b29b0c6c9184d6a63fca6d9bb91bc38d4189c6f3693f646fc02f1bfa01240fde61bb6b7a29b29f01f89cae944d013f6

Download Submit
memory/2412-423-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4488-421-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/4488-420-0x0000000001000000-0x0000000001026000-memory.dmp

Filesize
152KB

Download
memory/4516-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4516-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-422-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download