Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3PDF2Word.url
windows7-x64
6PDF2Word.url
windows10-2004-x64
3help.html
windows7-x64
1help.html
windows10-2004-x64
1pdf2html.htm
windows7-x64
1pdf2html.htm
windows10-2004-x64
1pdf2rtf.exe
windows7-x64
3pdf2rtf.exe
windows10-2004-x64
3rtflib.exe
windows7-x64
1rtflib.exe
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
PDF2Word.url
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
PDF2Word.url
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
help.html
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
help.html
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
pdf2html.htm
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
pdf2html.htm
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
pdf2rtf.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
pdf2rtf.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
rtflib.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
rtflib.exe
Resource
win10v2004-20240704-en
General
-
Target
pdf2html.htm
-
Size
397B
-
MD5
d7675a1013383379d68992ff7c8e44cc
-
SHA1
f2e400fd78e2aa620d98bb2d138f05aa264aebfd
-
SHA256
59801f5c0ca1e9baa5eaa7bad508f86575870005b8f308e02849f5f9dbded46b
-
SHA512
fb22f2dd6ca782a2f5bfd0b531d17cfab35a99bb3457939edbc800d9fb08ddb5c67db534617b8ee079c83d0a622465c1a2b04b0f95244b57007937439cc8ab32
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3852 msedge.exe 3852 msedge.exe 3368 msedge.exe 3368 msedge.exe 2368 identity_helper.exe 2368 identity_helper.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe 3368 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3368 wrote to memory of 3968 3368 msedge.exe 82 PID 3368 wrote to memory of 3968 3368 msedge.exe 82 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 2668 3368 msedge.exe 83 PID 3368 wrote to memory of 3852 3368 msedge.exe 84 PID 3368 wrote to memory of 3852 3368 msedge.exe 84 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85 PID 3368 wrote to memory of 1956 3368 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\pdf2html.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7c9646f8,0x7fff7c964708,0x7fff7c9647182⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:22⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,2463687090687817375,7286587697690874135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2612 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a27d8876d0de41d0d8ddfdc4f6fd4b15
SHA111f126f8b8bb7b63217f3525c20080f9e969eff3
SHA256d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe
SHA5128298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c
-
Filesize
152B
MD5f060e9a30a0dde4f5e3e80ae94cc7e8e
SHA13c0cc8c3a62c00d7210bb2c8f3748aec89009d17
SHA256c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79
SHA512af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6
-
Filesize
6KB
MD5d21d0c867cc71bd7b40e23fdfb8f2749
SHA11bb1458268e8f369b60a6053feecb348e2d46058
SHA256656d56bf9495a2c4a8bbd598f7bb8137e238084f0d0fe0578e529d16244a5782
SHA512a1b762df5e4b44e264b6cdaf03a0c71b1b1eac1869b969854d4c3177d7356452c7ddc17d873037f19a927dc71b9cbae7286cf031a7cfeab6c39fdf4329bc5034
-
Filesize
6KB
MD59c3dfdc38307ea6ca3bc641279794315
SHA181d205e5da0e7101d6122989148ca6b8e4eeb40c
SHA2565c2838b66ab90f825f5e990f73d8a0d56e3f9dd9d9f4a7faefceb71d450e7244
SHA512a1ae526044fe40fa73acb08c884805256c497fea722dd945e9607c85b5ef76815c2570d07a874873e596b4a7b99a6d3577734176eb46f533f18e30ba466425e6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5176c0a420e277981763f1a1d9f6a1e09
SHA1a7874a02a69cc84b7b90939426d29519290267ed
SHA2565c8654c8580b0be4f0442e1b9e98c9f328111e3ed852669a25dccae1ba985963
SHA512df1b4e4c177e8230ce14da3b38a9ad3a60d7fcf4971b4621da4d084610906d97a105951551d81d6a928f937746e1977956e35e6930f73b94c92aec08fdbbc16d