Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 15:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cld.pt/dl/download/91f9a3be-bda4-4996-af5a-03fa262db100/PEDIDO09.MERCADONA-A4-SIMPLEX-TTLDK0910202402284849292122.zip
Resource
win10v2004-20241007-en
General
-
Target
https://cld.pt/dl/download/91f9a3be-bda4-4996-af5a-03fa262db100/PEDIDO09.MERCADONA-A4-SIMPLEX-TTLDK0910202402284849292122.zip
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 1360 MsiExec.exe 1360 MsiExec.exe 1360 MsiExec.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 47 1360 MsiExec.exe 48 1360 MsiExec.exe 49 1360 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5752.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{07856D4C-7AC4-4062-AA1A-64B029A0CB72} msiexec.exe File opened for modification C:\Windows\Installer\MSI5A04.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A53.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5856f5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI58DA.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5856f5.msi msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4548 msedge.exe 4548 msedge.exe 3048 msedge.exe 3048 msedge.exe 4564 identity_helper.exe 4564 identity_helper.exe 856 msedge.exe 856 msedge.exe 3912 msiexec.exe 3912 msiexec.exe 3380 msedge.exe 3380 msedge.exe 3380 msedge.exe 3380 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 1868 msiexec.exe Token: SeIncreaseQuotaPrivilege 1868 msiexec.exe Token: SeSecurityPrivilege 3912 msiexec.exe Token: SeCreateTokenPrivilege 1868 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1868 msiexec.exe Token: SeLockMemoryPrivilege 1868 msiexec.exe Token: SeIncreaseQuotaPrivilege 1868 msiexec.exe Token: SeMachineAccountPrivilege 1868 msiexec.exe Token: SeTcbPrivilege 1868 msiexec.exe Token: SeSecurityPrivilege 1868 msiexec.exe Token: SeTakeOwnershipPrivilege 1868 msiexec.exe Token: SeLoadDriverPrivilege 1868 msiexec.exe Token: SeSystemProfilePrivilege 1868 msiexec.exe Token: SeSystemtimePrivilege 1868 msiexec.exe Token: SeProfSingleProcessPrivilege 1868 msiexec.exe Token: SeIncBasePriorityPrivilege 1868 msiexec.exe Token: SeCreatePagefilePrivilege 1868 msiexec.exe Token: SeCreatePermanentPrivilege 1868 msiexec.exe Token: SeBackupPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 1868 msiexec.exe Token: SeShutdownPrivilege 1868 msiexec.exe Token: SeDebugPrivilege 1868 msiexec.exe Token: SeAuditPrivilege 1868 msiexec.exe Token: SeSystemEnvironmentPrivilege 1868 msiexec.exe Token: SeChangeNotifyPrivilege 1868 msiexec.exe Token: SeRemoteShutdownPrivilege 1868 msiexec.exe Token: SeUndockPrivilege 1868 msiexec.exe Token: SeSyncAgentPrivilege 1868 msiexec.exe Token: SeEnableDelegationPrivilege 1868 msiexec.exe Token: SeManageVolumePrivilege 1868 msiexec.exe Token: SeImpersonatePrivilege 1868 msiexec.exe Token: SeCreateGlobalPrivilege 1868 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe Token: SeRestorePrivilege 3912 msiexec.exe Token: SeTakeOwnershipPrivilege 3912 msiexec.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 1868 msiexec.exe 1868 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1360 MsiExec.exe 1360 MsiExec.exe 1360 MsiExec.exe 1360 MsiExec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3952 3048 msedge.exe 83 PID 3048 wrote to memory of 3952 3048 msedge.exe 83 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 1544 3048 msedge.exe 84 PID 3048 wrote to memory of 4548 3048 msedge.exe 85 PID 3048 wrote to memory of 4548 3048 msedge.exe 85 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86 PID 3048 wrote to memory of 4572 3048 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cld.pt/dl/download/91f9a3be-bda4-4996-af5a-03fa262db100/PEDIDO09.MERCADONA-A4-SIMPLEX-TTLDK0910202402284849292122.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdce0346f8,0x7ffdce034708,0x7ffdce0347182⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:22⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:82⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5644 /prefetch:82⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,3975851495813829487,11080134462085952707,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3292
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2728
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_PEDIDO09.MERCADONA-A4-SIMPLEX-TTLDK0910202402284849292122.zip\PEDIDO09.MERCADONA-A4-SIMPLEX-TTLDK09102024022848492229492404292122.MSI"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1868
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2AC2ABEC1E8648A3389FF5C1581EE1FD2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1360
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832B
MD5ffa3394d19dc679f42a39055c33983ad
SHA1b0397d78ed057c34d6af9e54ca52106aebe1fb75
SHA2567e6adb880dd2e1e8515540fe069dd574ae6ea7f42a7a4f8961ac1ca87d4bcc3a
SHA5124fb778055ae4ea783f8bf02234e8585c7e40198e583bf787c6d23e250ef64e1ee9b80b96c6c965cdbeac06818e05f51cde0d2397d6dd0dae15b869b14044c8f9
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
6KB
MD5de3d87de1b1a8028ee4de037135e284e
SHA1f2c8100d2812972dae22ff9c2c63ef6f1040d4ac
SHA256c1b77edcfc96cd853365a5a95946e85843877b478cd43f49ddd8a038ada2c02c
SHA512969c5471cc97998064c33e5e2ae15c8add100aa8214cc32496bce10860512ea84ca6ee481830c6f663b0594f7fe86d143d8b9f9faf9f30ec1963776517c53031
-
Filesize
6KB
MD57649087dba311b06fa8d73d27485b75e
SHA1091780d210085f401c0fcb584dbee0a8f424b1e4
SHA25686cb6ed0de4341c656fae96aa6b3b0118b6aa567538216ee00398f152d93f28a
SHA512bac475498f432b3a2f9613291068eee72651177557257649fd1f10307f140f0b243d1c9731ffd00ae56bf18b789beda37db63c0f8691d416fbe71d20f9313014
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD544054fbe1dea78b915e02a7a5f29dba3
SHA151b8d5af29ead914de649a71f2f88bc71fcf15e2
SHA2563764cd464b342d939c06afc0f1acfb933d55603ea128f6546866dc878e8f77a7
SHA51263303656b4d1156f640853b4d18179650f8036de0cbd04c18f46e504734ba201b1e6d7aecc6b2de20a4818b8575a0726bbc4070e6b8249c9010c121a7c4c6530
-
Filesize
10KB
MD5331f4c481327d7749ffa476e8ee84157
SHA1caa3451c460abee584bd5dc7d6ba4c5aa41ac71d
SHA2569102a03b3971ebfd7923438d57eae2ed6c26362bcb659aad92561335b487e949
SHA512c3efb460a0b1b1ee83e753141079c1d3d17bfcd376cd7bd95162fdeedfdc2656cc8c81c44f167fe170524bcbab160d5bdea2941d30610b47713626e038c99c96
-
Filesize
7.9MB
MD51a3c8b95fb2b87c885ec894a1f73adea
SHA1cf081c991ff4dece7e8bb965d438d761f7812d98
SHA25690d9d63d2421549919c17bbc9fd4818d18194e131c4e4d70180fe07f591d8dd2
SHA512fbe5013bdd46d36fc5ced8dc7c429df2db74229a3d7f46671e55192c7a305fc6af136f80f1551892a8614f2c0fea4a899358b73e4d67ed4adde47aa91a48794e
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
20.6MB
MD5265710664518f1f389d0d5569d4c6bfb
SHA1811a8e190deeb08de706d73a10dc5ba9753741cf
SHA2565fb3dceb79c04c352841658ac4586c0d076c890f5fc05bb45c852ebac8978bb9
SHA5123ac225b3517525104ea9703d0ead721aa9cf9d68cf5aa884a3994f0858e6f185323dc3beb0b941a91ef98a1874d3ee6b7dfb333eb4f2b5e863647694c911e04e