Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
336s -
max time network
339s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
22/07/2024, 21:09
General
-
Target
https://disk.yandex.ru/d/LdNFOFnpJ78Ahw
Malware Config
Signatures
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 5 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/LdNFOFnpJ78Ahw1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff8feef46f8,0x7ff8feef4708,0x7ff8feef47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1860 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1420 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6816 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6784 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,3058147081529927208,3769128301760491035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat" "1⤵
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"1⤵
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Nursultan_Nextgen\Инструкция.txt1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault19b7b7c2h24e1h491fha2c2hc2d683818e5b1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ff8feef46f8,0x7ff8feef4708,0x7ff8feef47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8969370468721943883,5608954824883333249,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8969370468721943883,5608954824883333249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"1⤵
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"1⤵
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"1⤵
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\system32\findstr.exefindstr /i "echo" "C:\Users\Admin\Downloads\Nursultan_Nextgen\Nursultan Nextgen\start.bat"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288822⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8feef46f8,0x7ff8feef4708,0x7ff8feef47183⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50a0b9741cb338c26f1594fb7f83df461
SHA1b2fc8014a8629249995bdcc1733e0792260f10c8
SHA25614b3616e9b73bbbd70d1cf8032825a1e5d22550590f08c218b7301a44c1d7bd9
SHA512cc8cf13f94e23596b7a7ef5f551dd7a7c0ff34122ab4ef95c419460505a3cf07c2e0f843674418ff3a728dfbad842a55f810d3f09fcf11ff5155760a22c7e039
-
Filesize
152B
MD51f9d180c0bcf71b48e7bc8302f85c28f
SHA1ade94a8e51c446383dc0a45edf5aad5fa20edf3c
SHA256a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc
SHA512282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785
-
Filesize
152B
MD560ead4145eb78b972baf6c6270ae6d72
SHA1e71f4507bea5b518d9ee9fb2d523c5a11adea842
SHA256b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7
SHA5128cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde
-
Filesize
152B
MD51f445c4981482d67d3c2c8037ee9d8b1
SHA15b2fabf127b1efe3d32718afb85006cd1c680999
SHA2563da4ce858fe015cde6c18d89bd422f8053a132831ba55b9ffdec1c60c0cc4840
SHA5123049df14bb353728473c399528de23f4c68df65269cc4c051a0582c57036b3431b3fc1a19f94f2e022a4aed2380ca8544e8018bf16228abee5ceca9281af5d04
-
Filesize
152B
MD5b83f25072fb6a43059574765c2b52698
SHA1ec9d0f626ea3d427e5f38ae23357c91261ff2fcc
SHA256b480ea713215d4bbf0f74f51ecdeafa8935b0715cd9cfdf07a1a8a01c739aa8b
SHA512d0c5d44c506dfb4c75eb507ba15c0c2fb50cad9d0d2ad8266dd758b672da17749153b2d5a0792272a146dd12c01e6a9e5506a98768b1821668298f1e2650a404
-
Filesize
408B
MD5c6c64b60ed8b71b702c2e53d9c178dd2
SHA1414984c47dc5c3ae0f747fbd0ed22c6b08c47215
SHA25609b0561b9eb26add4059f7898279780969a8e29275beb598e0783277bfb8b3de
SHA5120d38a064ebebe58a9aeee027418df7197355eb401f314b6df20173ab6e05682dbd7efd6955ea4fcde01e579f7fa7d9446b7e089a01ae8429e465089c41cb0149
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
550B
MD53c374cea9a0cbed2b03ee91d7e98128c
SHA1729ee0c990849c11767ce6f8f5905e3d76db2a55
SHA256e8fe3830fb9a1a9e6132e63747606b7e6cfa045137ec2c6d59ca085b5ada5432
SHA5128770972366a33018b93cdd968e75a926de9c85208378802771bf58c599ecc8efdcb3184a39a54390c275e2572d8e9a3c2aa941fcc13a1f345e4b880066332888
-
Filesize
620B
MD58ae97c67851b7ed1f7bc09941f166a50
SHA1c8cdd666a1f8382003bfec9f60c8860f0331efe0
SHA256a25af49ac2963394621f5133487d22140b73c244cf8f39e08b27987f16cd8c06
SHA512686eec28cd43e88e4a6fe0058432e4482bfcaf4552a852b9dcc50900629d34fadcf0ba87659f387b1fb680f85558edc20505038508655e9ecbc267cd9e021bc6
-
Filesize
5KB
MD558e9732d0bef28135d444b6de2fbc297
SHA1d529461478123b313732a91809246ac60ff98655
SHA256634609b91c6d40d91401f4f5e156ed2ddd1551c6d6c5db572c3c64269c57fbdd
SHA512bbe618affc00b4244e2986e81aafe030bd05db4c7d08d9fd724766666f2dae7623ad6a1b5c1830f23c881682f53cf38f3286311e184c66a5de8c176862917037
-
Filesize
6KB
MD586115c11d72bc58dc565c96c432d6ed5
SHA1fa5b6c828200d52dd66cf73c0ba331ad33425683
SHA25614b48072067d4546cd4ba0e5dcdef6f3647e9378f5d51b390e28152998c14fbe
SHA512525f13fa8f89d6b6030918cd6fd7e7fde27bd7c8c948d3f9c4bd0b5dbbe642649586acd792a97c9a263a722b09c5965fb3a4d162a7eac7078533d089969dd731
-
Filesize
6KB
MD5afd73dec9879d4e9133d0a0db75bc611
SHA1b12df32045559ceaf111ae395ab020b0c69ca618
SHA256206ad81e345097d0dc22895e5cbf4862d8bda6fb82d656d170375e0fc400862f
SHA512904deab71cd265da5f5d120a5d72934f7e475bf6fc623f139560c17431cbfbbce4c4d9de2ad4d2b86124e61d2b11859ca0ea6fab400e84dc75e80bd2c5179f29
-
Filesize
7KB
MD5cc3207281b4e513112740fdb3ab9eb2d
SHA1f28fe28b67b3d2c89436c9b2a28b7bf36951acb9
SHA2568bba25e51975bbd9ebadff6ab0c98c432634192d5d76e1b1acc5b1063f2fa066
SHA512e4f437a70e151c058f4a41e256430d95b268ce9485b7e151fc7659f7d75f008ec2528b5cd4953a1a242d50e333244df1768bd9a96dd424d8664db66bf3aa7997
-
Filesize
6KB
MD57c384292692cbba5c5bc7c10569f1fe0
SHA1586e6f2738778151709a582e22d8351b5364bbf1
SHA256dbf9595c34c4e0b261d707ab26196beb79d0be5f1e47546ae78d2aae659fcc42
SHA51214da7f082a7d1324cff71af0faf166b6fd05a3cb1eb70f2d679070f17d1f5172853bca24889a49b3d540cf9e7f5f166c69191860c649b3781dc8089d62624814
-
Filesize
6KB
MD538b98d0972b70c95946895a5f54d8400
SHA12865545643db3d9e91205e891ffa1bb46554300c
SHA2563bc7be0817bb2300bb9730e2cfd3fb09cdc83f977a1d33f1f151d8657dbfd850
SHA51260d6eb83b0ea0f3883697b9a45b41e65ef752803657a2d946de53cd217ea6970c0e245cb9cc298557c9cc399acfcf15a6c208bdc95383862a575a075093fda73
-
Filesize
6KB
MD5bee7732370f24ed92bd23297818d4369
SHA1b2f4fd10a00c66144e3fd64720ec664385e25ae2
SHA2560e7e43c8d5a95e07871db317e93fb0cdc91494e41bc4e01f9aceedbd689c02d7
SHA512e87f2c111175890b2426a0b505f9b744056c6c89ec4f54c2e78bbcbcb23c98e4670f879ec1c63537f451187895456efb1d0202b10545cef6973c83123a1e031f
-
Filesize
6KB
MD5cbfbc5b0c5d37cea09f759cc95fbd244
SHA1a3150ee561892335b701e7e41baa5fdc5b19b47a
SHA2565d6fb2c33570ecdad8f0b3ec08558a540d76b6a9963ce252498c9acebc8cdfa4
SHA5129414733431d555b3de4d0937a7a16c83f8b76535ff4e33689a8007681db9b8ac2240848437277f8e3a1d7a19961b88e4532bbde3c9a46c22aee705908ada3480
-
Filesize
6KB
MD5ffacdab1c60484eb9839edd3bc9f5e05
SHA1bbb2479804ec6a36593ec203cc95d18e538d4d42
SHA256ce0419221c0026212f2a059d30245031be087f637aa947ebb2b3039d1c276192
SHA512482c017f7bb495765d822929516d6952837af08cbc9db8b1b0068f1a3945991104cf77263dc4ac8e81626a1601b42da0b6a0b1803d5d0e267e587ba7ed5c6dc4
-
Filesize
1KB
MD52a8f4ab6247456dedac06380e5614ccb
SHA17b4612ea9b8fda2ae6cf684ce67a2ac0c9ac81c8
SHA2561439230358c56774c0158f309fb0ab973ab399853c87751e0648b4dc4fa15501
SHA51255537fe34e16d5d63c3f7076031463c3d7863d6372122f66a19e181a43b585ec62cc1111cc9cb7ad27e6bc44b195cca952d96e68adcbc47a25014d00dec416f8
-
Filesize
705B
MD5a13113d2787f3dfe002abe54adaec72f
SHA12d3fce15e643886dad7b68e3cbf9a4576764ba75
SHA256675a34347239ecbec1ab3353889d892f211985e4135c390b3101bb0e9c68f0d6
SHA512030b8f7619e3d6a4a0ab9831d36b871726e3e808dbbe1e9879ccfdcd316974365f13b3b64617e54081df6f23a3c336dbe11d1d69c64cb4c767d50701c527ff79
-
Filesize
705B
MD517ce142c548093df26917a9af5b7785f
SHA1aa2b897a4e45b0961174fb7c0c90167e3808bfee
SHA256aa10bc43b688beed0ff34ed91a3d8a8164cc61def340d3f90440a5e120ee2175
SHA512e20b02e93098273bb6581bcc4e2ad9c4c04134fd0fd164fba160bb8cda22395480228c07629e3777e0c34b4c0d9c3ed05e768c1eff69eaae6fe757746ed5387e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
12KB
MD5378b8f14418d81025e596b3dc08d4351
SHA1b66e22773082627839970b7c04521902d9be8578
SHA25617aa3b3f784e2ace9e6be34e988d8315b0b54b678d06d7e7df28eb71c40b49b8
SHA512b934ae9cf18192cbea1673e1d2f93c75e927bb2645f8a9cc69cad59c1257dba643e970df455e59fe9975162d800bc2b956384b6a34339c9070ffa45ba66d048c
-
Filesize
12KB
MD5884258139ce92351df427374ee714a30
SHA10a415bca0640eb852303817e879d6502a4b5066f
SHA2564f02d0cbb0edd25e4cc493b948a86acd752328b31e9c3cf3350c87c31d7d8bae
SHA5126692d96cd656854035973cf24ef4fd96a76ab63a002212de252741be60a124aa1ed648830b6da279658a12349c2402a69550cb2489f2cc3308651bf3acd47711
-
Filesize
11KB
MD5337fd8fe3ef6ad2c9f67927b4b9b5c6d
SHA145dc20d5b19d4562333340d16f50f3f8515c9502
SHA256d2790f7b0dd8647796cbfd7fc1b4a755cb365aea04e91d064dad705007c9847c
SHA5123c57056c36088a97f1485734c486ddf196313106859d143acb8bf3cc12edcfadef159b5c0cd6004cfc30cfbb46d52df401529d6d8b2303bc8b1fb315252452f3
-
Filesize
12KB
MD5a21ddb5649c2ce3315b3a3560007732d
SHA160098a8003cb1ea8c7d832edf6b31a56437a8169
SHA2567c5594a2d31266420e2cfd4b797733313571a0b2a8fc8d01e610eaabdc87e57e
SHA5121653adc75724ffd7ff0b3c49625a51a2bc7f57b73bdd527651fbe52441178b412c298ce82e5e8d03649ba2f0346a19318bcc89cb2a92795899bd98b8e7eb6bae
-
Filesize
12KB
MD50d0835160c8e62fe5cc519f7cb539a62
SHA1eab9851ee2f34999eac4b7bf7c1af980f7bf2b39
SHA256f58da45ae0ff5772f14d20546e09edc6fd8fd8adc04191afb0b7c8e8612f7589
SHA5123fa3377093ee3fa5d505a340240c0468a28926e96f8b0efc580f70b593b9445bd233aa8146dee00c184c7c369f7c73fbb24a8e0cdf8b0a575636e32f2825f8f0
-
Filesize
1KB
MD5f4733332e07522db085ca1d9bbdccd60
SHA1e26f594ad507b7b89e61ecf2588124a6e3e28ad4
SHA2566e3001967982e38a2933ee941b31925d09dd72bb10e16071930c8eeef5d7859b
SHA512e6eada50306d18f85cddbfe23ad5b1b051945f761851021dcc3da6218fe93c54dd644196e4d43d895a3119f02aeb0892d19768e1e63d2b34bbd6eb3d8fe2ea5f
-
Filesize
1KB
MD5d83c998ee984e3dabfab8b8eb0df6bd0
SHA17043947be6389770f255f6b1def6fcbccc45db6f
SHA256f5539bdf7b8ddc990a44334fcbefa7581dbb1803565d875e9cd36b6adc6b4be2
SHA512da1307673c52cbe4d800cfa9d23c77de04d9179121ca47c150b4658475cc68cc44a355e4bf57572d34b9462f07b8b211db50e307fdf949e6f1e76d0b1865671f
-
Filesize
1KB
MD50db140c2cf6c6cca75d115c1e8e1897c
SHA1cf4b1f8e40300500ed78562fee101db472ce03c4
SHA2568d0959f16d4deb2312eed599b66fe0bbf2a289a377fd3094eccebf536aa6272f
SHA512d92925405cffa8945c145b371087e8bfb0ae687ec7233ad0de85266b77ed5affec09b5598e5caf8275f587009c7aa1373359e5166fbbf0f31b11a77d34c60f13
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
199B
MD5d4cfcc8678f1146f950256544526e904
SHA1be5dc5e55d45f7c4e03ad97b249417b578bb66dc
SHA256d37d5d727b74d52490b36daa54023ab8bac4eef33b19075bc7119e1dfe2a7622
SHA512f7707e76ca57983e807b0c2f35547d12d9900e64d91d642c26849e3feff624ecb740c982fccfc9c9b2c6ff13db6f78024dc31887792a68bc3545ff47d3548172
-
Filesize
13B
MD5337065424ed27284c55b80741f912713
SHA10e99e1b388ae66a51a8ffeee3448c3509a694db8
SHA2564ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b
SHA512d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a
-
Filesize
144KB
-
Filesize
136KB
-
Filesize
168KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB