Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 16:26
Behavioral task
behavioral1
Sample
Screenshot (42).pdf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Screenshot (42).pdf
Resource
win10v2004-20241007-en
General
-
Target
Screenshot (42).pdf
-
Size
18KB
-
MD5
ce07a5048fb23c861fda81ae59069bfc
-
SHA1
1798b5b6af36225cdc8308d8cf60c6cd86ebfdf1
-
SHA256
72a4bdd8cdab78f9bcc9b8b38e953fddb5d9047db5d004ea0782ae005aea61c1
-
SHA512
77004737a0c0b4b15e2360af7d47007c1379dbd62d210875b3c0361500fce231f9cd07771acfda6ad8912251cdb06346155070eaa12bec7bde4a074a5d206e92
-
SSDEEP
384:dcjOlC0rofWZW6i5P6gvpR16KCDYjLcgJJ1bQzCUSsIWxqyNn2ANrOqQUG9LTT0M:d0uWJJp6bG9JJFQzpIW8yT8j9Ln0M
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4392 msedge.exe 4392 msedge.exe 3676 msedge.exe 3676 msedge.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 6012 identity_helper.exe 6012 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 652 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 652 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 948 AcroRd32.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe 3676 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe 948 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 948 wrote to memory of 3164 948 AcroRd32.exe 87 PID 948 wrote to memory of 3164 948 AcroRd32.exe 87 PID 948 wrote to memory of 3164 948 AcroRd32.exe 87 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 2096 3164 RdrCEF.exe 88 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89 PID 3164 wrote to memory of 4884 3164 RdrCEF.exe 89
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Screenshot (42).pdf"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CD896F665D83688B6ECBE93CDB16A73C --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=60A05BA84966BEF3D5020A09AAE1A0F0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=60A05BA84966BEF3D5020A09AAE1A0F0 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:4884
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=37E63FD4FC1A895617C7D0DD2F25C9F2 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72B6A947DCFB941F6B1D5116F38EC0BC --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:1512
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=387B0C8F0F2859C2ABFE484A7446BC00 --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=32F00C785E71252CCCB32802BB5FAD68 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=32F00C785E71252CCCB32802BB5FAD68 --renderer-client-id=7 --mojo-platform-channel-handle=1916 --allow-no-sandbox-job /prefetch:13⤵
- System Location Discovery: System Language Discovery
PID:3524
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.readingquest.net/materials/blurbs-volume-1/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ddcc46f8,0x7ff9ddcc4708,0x7ff9ddcc47183⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:23⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:83⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:13⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:13⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:83⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:6012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:13⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:13⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:13⤵PID:5580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:13⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,2168734495458485717,3545693624107376729,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:13⤵PID:5576
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4196
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x3f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5752a1f26b18748311b691c7d8fc20633
SHA1c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5
-
Filesize
64KB
MD524c219d14093ae8a427b9adf1013a16e
SHA128435da0c12d38d438ae28c70c82794f379f0e12
SHA256ce4ad42acebffa89357abf1898d12e6285ccc51b78d924077d80b65a86985765
SHA5129965e16118a0eb23a3bdd7cd3877f5eec4ea071bffed9f0eae8f91129e2a5463dc19cebc2875f291cbd604a284922cada10587d96fc1b07c5224262c7370567c
-
Filesize
36KB
MD5b30d3becc8731792523d599d949e63f5
SHA119350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
7KB
MD56c34c4d3c48e7471235c628325d140af
SHA1e74936458bd8a6a0a428f1beec761ae38cee2bf3
SHA256ad45b368515c8a34a213c4afe1752aaee4a280701bb637157c927a306f0ee44c
SHA5122deb7b28d48cec0e1624daa6969d52b175d932e621b14e605407bea9282d5441ecaee47c587881947ecb4544c0b61f512a34553e17bef616986febe899d9b408
-
Filesize
6KB
MD5a59dd680035b2d94342c86643429f0d4
SHA1626852d0893a767774255b48cec5c60b9d0fdc58
SHA256ce8f84ad5e5201010dceedf00cece026b05cb028fd341853f4054c22eed1f817
SHA512f2f0495a98f15b03dcc21266865b4850fcde928a982ef25768d76dd7b38ecf6ca99b6633c86a8bf0792bd9adf6415aa7a7887260388c83647f5e829f3b0a70f8
-
Filesize
7KB
MD5f7244635d72009a1e4492bdc27b1b4b1
SHA1d9de31a1451fc334e59cefc40b7033a5de19fa38
SHA256cf825cadd0e207e596069b7ad69c750b60383846f58e3a2652913dd4204a72f6
SHA5124a089976a9f08769ad3570c56dfc6ddd939eb8ca102913ab3683415ff71e980327deaa0246a1368978905cab62ecdecfafe873c4f5b8bf3febc429fa7a8158f8
-
Filesize
538B
MD52afd59731e9280c9aa2ca8fb427927c7
SHA19377e4c1a5033762b8695434941c294d499560c7
SHA2564f9a4284757b1ce4169c048989ed8b8620f976d0e0f4866118415761ba862025
SHA512f7b365952bece5707ef6616fea2fea6ead46079c0aacddc03567452cc83f6ae99d161063471f053e419c4b7b5bd57a25efebef85f17f7ddb536a1aa55947dae9
-
Filesize
371B
MD5f847d76a2158fd1f1aa20d0435420e2b
SHA17cee925faf65fd2f813eff5f0646c9cc108df706
SHA2565e21734f2e33ca41fe192b06290cdf94109c17ab60d3205c722f62263c1d0263
SHA5127c70563a851d24e5c5a8923e8fcaf5d4e31c93fc1124507cf5250ac303acb6d087c8238875da9a7364006cdaad5c09d3bd771789bae8300e0f4509a4ce3279d2
-
Filesize
204B
MD5cac460614466fe847c2097ca3ea03efe
SHA1faf39b36ce6a866fca066c5b6e9903feb876094e
SHA256eef8e6688dba7ba701eaedcaa86a07899a8b175c45cdfcc9c6db6f39e7b42b33
SHA512515227a807aebcd211839c71b9895ac419f772a0d0dbf47284663c84b86aa84bfbcfddb254acfcd7f418a4b0c6924a7d090dbfb2307a0882d0d7867c56d21e3a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD50e7966e553c83313da075aa6ff46c7a6
SHA1345024dece3257232c360279cabb519bd5fd8620
SHA256875590ccb18b6eb9f143b57c795abf41ed592bb228bed4abe3a6e22ab644d3bd
SHA512660d20bcb7fc5dcbe5ae22a1a5af93f3c59e1727fbd850be11ea223be7b4ccd62fb7eff8cb73db76c9b8b8152b8d19bb378b2c43ea95d7482f249598aa8ac99b