Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
229s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2024, 22:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://blackmagicpartners.com
Resource
win10v2004-20240412-en
General
-
Target
http://blackmagicpartners.com
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3040 䕅瘵㍮㜷癸x -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5612 set thread context of 3040 5612 Davinci Contract.pdf.exe 149 -
Program crash 1 IoCs
pid pid_target Process procid_target 5832 3040 WerFault.exe 149 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 3384 WINWORD.EXE 3384 WINWORD.EXE 5612 Davinci Contract.pdf.exe 2184 vlc.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4816 msedge.exe 4816 msedge.exe 3940 msedge.exe 3940 msedge.exe 3200 identity_helper.exe 3200 identity_helper.exe 3400 msedge.exe 3400 msedge.exe 5492 msedge.exe 5492 msedge.exe 5492 msedge.exe 5492 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5612 Davinci Contract.pdf.exe 2184 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTcbPrivilege 3820 svchost.exe Token: SeRestorePrivilege 3820 svchost.exe Token: 33 3444 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3444 AUDIODG.EXE Token: 33 2184 vlc.exe Token: SeIncBasePriorityPrivilege 2184 vlc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 5612 Davinci Contract.pdf.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3384 WINWORD.EXE 3384 WINWORD.EXE 3384 WINWORD.EXE 3384 WINWORD.EXE 3384 WINWORD.EXE 3384 WINWORD.EXE 3384 WINWORD.EXE 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe 2184 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 644 3940 msedge.exe 87 PID 3940 wrote to memory of 644 3940 msedge.exe 87 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 3016 3940 msedge.exe 88 PID 3940 wrote to memory of 4816 3940 msedge.exe 89 PID 3940 wrote to memory of 4816 3940 msedge.exe 89 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90 PID 3940 wrote to memory of 3144 3940 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://blackmagicpartners.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d4d746f8,0x7ff8d4d74708,0x7ff8d4d747182⤵PID:644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:12⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:82⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3184 /prefetch:82⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15607083169556234653,15079665514016279834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5492
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4024
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3388
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820 -
C:\Windows\system32\dashost.exedashost.exe {c274138c-5703-4090-a91552bf89365dc1}2⤵PID:4564
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\[Videoeditor] Contract + Preview 11.04\Davinci Resolve 18\Document for partners.docx.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3384
-
C:\Users\Admin\Downloads\[Videoeditor] Contract + Preview 11.04\Davinci Resolve 18\Davinci Contract.pdf.exe"C:\Users\Admin\Downloads\[Videoeditor] Contract + Preview 11.04\Davinci Resolve 18\Davinci Contract.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5612 -
C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x"C:\Users\Admin\AppData\Local\Temp\䕅瘵㍮㜷癸x"2⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 3723⤵
- Program crash
PID:5832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3040 -ip 30401⤵PID:4744
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\[Videoeditor] Contract + Preview 11.04\Davinci Resolve 18\Davinci Resolve 18 Trailer.mp4.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2184
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a9519bc058003dbea34765176083739e
SHA1ef49b8790219eaddbdacb7fc97d3d05433b8575c
SHA256e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b
SHA512a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53
-
Filesize
152B
MD5cb138796dbfb37877fcae3430bb1e2a7
SHA182bb82178c07530e42eca6caf3178d66527558bc
SHA25650c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd
SHA512287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3078b44f-8ebd-4dbf-a43e-a5866d01b811.tmp
Filesize7KB
MD52e32b774eec92f210dcceacd341f2334
SHA1c23072f66eab60a34d75e1531ee828a78ed90004
SHA2563ab16a0cdabb0e7bcd55846d54d80867a8e970e73f2909c02a09d7c539b243c3
SHA51250b1e5ba7ba3ba98c1defe78328ecf4df6f8cca99c2bb76be1ea5210330377ae0c22f1693a5034050ea33ca65523d0e0702b57cb61a24022e585286a5e69dc54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD51cb5cad7464ed5e6daa85cb8c0803add
SHA17d4a0c3686b039c7045842235cdf3df1e35f0f77
SHA25644e17f16d3a646cd939bdbc53266d6188be871953af315c5a26d5b8ed3fda9c3
SHA512cf5241b428194e44890a56c4d29a823b8fba1bd0ced38f368d5867c5aea2018242658e10f016040edcb210e0bf1582d584ef92d29a2434850f33cbfc94dfcb8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5927c6100db835b5c303a3c21873852cb
SHA1bc2bcaa76c21fd8fad55a61fb76167b957eafc61
SHA25699fa50fac8167a32a87f5e7ac76c47189dfb226350c6e5ebf3f9526cfd80ff08
SHA51253cc58ba192427d150af2343f3093a803148fb7a6e91c9140e7f687ff7134bc1f8428a018e4be22838947336701e74ae3da7258651da7cf02c5d44d64709b1df
-
Filesize
680B
MD523c308c16724727a4e02a229c1005d65
SHA19b6197e6a01ae26ed4e5928f49c21223077bfd44
SHA256d88b3f0749babb2383c3da82309b8963a9385a80a15824c2b245d278e5bec563
SHA512a5e055847292d2f890510dbd28e70734b02402a4c051f5ca3875ce8283c6984e60ebef89b4658860d8e2d2c5b7b9885ca8fc12b3b385db855f947e52f97989ff
-
Filesize
6KB
MD5b022c8d9405c52dadf3842075bc3d25d
SHA1c567337b2e45351caf843980fc171a869810dc7c
SHA256c332f5884cbfb72b7f30e285b75d4d7aeb8d32cee94e8a9a9937175412616e39
SHA5129b3d4992de06fccf0b77d64e24197a3890036ba3e43eaa2d9b8d1954c5a5ba14b7e5b7db2bb881c725ff3936ba84c318c2b8d9a4c536b4f8b8e12da335e1c698
-
Filesize
6KB
MD5b0d178975ea51bdd515626fb1065b367
SHA104406989ba36be3629907c15a76fbea26f872932
SHA256b5633af032e6498e21a987123f8f36818814f2e1d055cf58ac8aec49204e7747
SHA512419029dd6aa9f76233cf23c253babe031ffc34c5f47d90841487f02edea9ae6b84d629f293dcd5f6241e114bd05c03524b6a0230bc3c40b895c9e0bc93ccf098
-
Filesize
368B
MD5a88e66cae241d75ab1673700de7cb830
SHA1442c087a822b0542a62bc139e443493d311ad170
SHA2565a473b867cca5521434fa99ae7a4ac528553eefa097b206cbf6888a1073cb6bd
SHA5125150df211c7edf074987197225ee5d5fcf03791dc9335e0f6d6dd5b0b46de5f0a902e729823d1897e35887a2d24e97a59d51e7179b657871b853bfe48d3df9e3
-
Filesize
368B
MD58ecf147280f5d25e68f698e39fdbf730
SHA1871d1d16ac95dad5ca12924d665a58d4ed35799e
SHA2565a4c86565428f2921c4729718a12cc8df3d21236652d7111df1178806e6ab6ed
SHA512922fc86f9fc531910b46927ef4a346937ab7ee64da6de87c2e6ebd530377f44822dbf5c87432bf6eb245f798ccf4a30be51fcf9e06bae246d7bdd772ecf3186c
-
Filesize
368B
MD5564b57a0868f3d34e3cfed8ab5c403f2
SHA1d77c45051b5c51a2b0e3a3f25233893f7c0d92fe
SHA256804f86fdac5fa29947d61f3866a36c801cd5218f10113781691dbfc8a8e8fd14
SHA512d891f57bf5766e2dd78f1a0ff5cb791745f9baec03148bf3b4e23b1e7d33b1e954d60e1a3167895814d5893357c1138ce3e5a4c73bf3f3ce7d6d525e4bbbed32
-
Filesize
368B
MD543d1a4322b07f9489a5dacaf45e59547
SHA162fc0d2fd3664bb09539542bedb4e7cfdc751887
SHA25622ca96481bc896d54cde783f48b199fadf20a03ab83b6a5fe67e1f54dd0ae685
SHA51253270b85492ddc9e8a7e7bdc837235db8d1215cceaab44f6403653a751699375392c77131906dc732655328b015f460ce7cf08692b6ef9200975564ad3252e01
-
Filesize
368B
MD59ececacbb81d0c94e0afa274aecd9836
SHA1305c25afbfc80a96413f801a93651037b653e5f7
SHA2562a36a9311ef5908c67edfa0cba16d0d9ac4366befa3f242af63fccbc23b7e15b
SHA5125ff5746f7c510f464b79068566aff47d3972dd0c2df8f0fde6f9c3c0daa49ef828b7bbac507025931a022206435bf6b1312408a7a530c720101c73157fbcdd58
-
Filesize
368B
MD530d5457e445d003d0d063a018872e8a7
SHA17ce3571ee2dfc2c5df1736a8ec7bf0873c75d5ce
SHA256ac5dffc3bb777a01ee0ab533fb0613dbe05a2eb9c155b4a252b50252c5bc4bf1
SHA512b38df3a67a259b12562a6ceca9d03df6f1f229f30940d9a460c0f5d9b795dfcea3d4c12079a6dc335d4488d01ee75f47a14d2b8191e6e626633cb47a597e01b6
-
Filesize
368B
MD52bb9bba8131b5189a63449c26982931f
SHA1c3b678b12bfca3810181a0cf90f89cd49c7e682d
SHA2563210e1c29390a32c985c16faf9a593e71bcc4b2f0036e0b0217f302451ab18a9
SHA51208c524f1b440609d24efa9f832e40f5563dc83b08486067c63f6f15389e1aa2963f939e048e9f7639febe1b9184af7b1d469f62bc22ffc68e53fa523fa9304e6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5f10783bb8c53bda4ef40976c07b2caf5
SHA1e62493cc02ec90a8066a4d54128f50c6a3d4ed4a
SHA256b619d5117d2d744768d885ecd3a763f84802a3480c6eb5e99be22d7b0e0fac1e
SHA512f63ac681938d476c1077634a3c9674ca212fdbd7d7dc4142030e82467517c6f875b76009abf85caf0b01c8bc7961a481739462726044880a4181d50dd6d13ae4
-
Filesize
11KB
MD53efb312414d4094a1f32249d9b8904dc
SHA1929fbf2e14cad3ea1cf5dcb9f4f398d8534887d3
SHA256daa2fa02a3e2d5c25beb3619b4fc44d7d9bbd6746f81a934c1959fa288ad18fd
SHA5123036e7f824b12ca6c022e937b7c146326e00273bcf62873ea2284c6b254ca643556444e28d2583c66695ff1e1c0d8b995df959477d3872986d2d3d42f5fe671b
-
Filesize
11KB
MD51a8cb081db77bfcc18d45bf5de85a863
SHA150ccc88157d6d5741aeca0b4ef7217b1b138e023
SHA256f4cf8356a1c034f45566ef3276b9dae9e405d581fddcec71bdcab986ccd31227
SHA5124c8c0212ec760d520526ad5d085b5b435185ad19ed5d2c918f2bcdf7229e9ae7f306f14b4d4f299975321a51e50097009f41736b699a664a1f76aad5050e0fdf
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5eb9a64f46ecc7b4a16e7ed2f04565267
SHA1d705844fc07dcecf34c68ebe154f7fc1b92fec3a
SHA256b8873e5a40e5c3397046a12ed96ed627883e3bc5b3c24f66dd6e204f67663f84
SHA5121f48d419002dbf33ad9838d75227d5940698a2fbec4fefa1785f11b95b81dfd7c2207fbbad1002bd2d35eb48693773b60352c3be53be582b6c7c1a6f4a151107
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
38KB
MD53992f464696b0eeff236aef93b1fdbd5
SHA18dddabaea6b342efc4f5b244420a0af055ae691e
SHA2560d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14
SHA51227a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6
-
Filesize
261B
MD5400895b083f950f7fe7b72a4bc624a46
SHA1bd4fde6d0c75be33f309dab4e965f4d5ab6219a0
SHA256bf224d33d257cb7e269693b2e0fc85a2c21a9af31c7c6508ed612f6007c55278
SHA5125e0100ff463604c52d3067936eafeddc6f56711235a11c224230f7e4fa812b8603fc43c61afccee26468575d6761ade17770c9ee287573ee5c2abb6bbe2c988e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e0aede5f657b1c0a67b9e21d447c5b6f
SHA128167df66161f94845e8cb9b45c1e6da33a31149
SHA256708928e5a0ede4908409791d1d3a1771506afc94d448a699d3aa02daab91da7b
SHA512ec523e57f1ed906f09429933cd0515de3e87848750b94b952907711be6b1ab9980f123be27000b435859b1b1bda8a8d2a4b40d3d9167307a1a464d132c49076c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD5e515a4c0bfa6a66467e53002343b2ec9
SHA1793248b33fc34a1a5b334f0c53ca4b3dfc493cef
SHA256f1a948fee21879b3c1dbb7e6762a69f08075143f091d90b40876859ae56e851d
SHA512c52b40b532e8dd8bd19d804d6cd38c98e7c440868bd6112577d9f4d4acdb9b260c45123c0a3f5b8d34187b95bb58eff09315edfceb599e0e6bade7be3eaf3ea1