Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06/09/2024, 17:03
Errors
Reason
Machine shutdown
General
-
Target
d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe
-
Size
255KB
-
MD5
d006bac7387f1928c1ce6b8a26605311
-
SHA1
2bfc6117f49fdc4e01e41057eb9433aa8d3e3052
-
SHA256
ad2d9e9ccf4071b62734a41e10deb2f488aa6991b24eb4d291bed295a83fd3d7
-
SHA512
477686222adb487030904d4c405155ce125366a41e13cee9a76253947faf5b3f8002d45bc6f1567f8ecd19b68c73b5dc8c2cd76df21daabc82ec6ab7277978b0
-
SSDEEP
6144:YoTf1YERoTf1YEzoTf1Y06Ifn8xAfIn2uR:YoTfDRoTf7zoTf7rn8egn2u
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 23 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 15 IoCs
-
Executes dropped EXE 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\87DD.tmp\87DE.bat C:\Users\Admin\AppData\Local\Temp\d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\87DD.tmp\2b2t.exe2b2t.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\89E1.tmp\89E2.bat C:\Users\Admin\AppData\Local\Temp\87DD.tmp\2b2t.exe"4⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeQueue.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8AAC.tmp\8AAD.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"6⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BB5.tmp\8BB6.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"8⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C61.tmp\8C62.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"10⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D4C.tmp\8D4D.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F5F.tmp\8F60.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9422.tmp\9423.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9441.tmp\9442.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F6F.tmp\8F70.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9664.tmp\9665.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\96A2.tmp\96A3.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D6B.tmp\8D6C.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90A7.tmp\90B8.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94AF.tmp\94AF.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94AE.tmp\94AF.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90C6.tmp\90C7.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9CBD.tmp\9CBE.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D0C.tmp\9D0C.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C62.tmp\8C62.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"10⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8E26.tmp\8E27.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90D6.tmp\90D7.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9A4C.tmp\9A4D.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9AC9.tmp\9ACA.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90B8.tmp\90B8.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D0B.tmp\9D0C.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D1B.tmp\9D1C.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8E65.tmp\8E66.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91C0.tmp\91C1.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9829.tmp\982A.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9887.tmp\9888.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9191.tmp\9192.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\978E.tmp\978E.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9771.tmp\976E.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BA6.tmp\8BA7.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"8⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C81.tmp\8C82.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"10⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8E75.tmp\8E76.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91B2.tmp\91B2.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\98F4.tmp\9905.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9942.tmp\9953.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91B1.tmp\91B2.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\973F.tmp\9740.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9EB1.tmp\9EB2.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9E92.tmp\9E93.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"18⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9710.tmp\9711.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D69.tmp\9D6A.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe19⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9DB7.tmp\9DB8.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"18⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe19⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8E76.tmp\8E76.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90D7.tmp\90D7.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9470.tmp\9471.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\94B1.tmp\94AF.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90B7.tmp\90B8.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9606.tmp\9607.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9645.tmp\9646.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C52.tmp\8C53.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"10⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DB9.tmp\8DBA.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\93E3.tmp\93E4.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\978D.tmp\978E.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9412.tmp\9413.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe11⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DA9.tmp\8DAA.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"12⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91FF.tmp\9200.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\976E.tmp\976E.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\976D.tmp\976E.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe13⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\924D.tmp\924E.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\97AC.tmp\97AD.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe15⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9819.tmp\981A.bat C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe"16⤵
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exeC:\Users\Admin\AppData\Local\Temp\89E1.tmp\Queue.exe17⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /s /t 003⤵
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3908055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD536e73597948fbbcc8c1ee1c09068e1dc
SHA12143fd9e0cb82f4b51494c245855d405fc092ff0
SHA2563ab4f96969c5b663203d19d7b4dc0f91d31bd65bc7662fecc37f7b788fe74985
SHA512cb868d04217ed3a54bcab674d0f0718f5bb71e148824080799816b924f4dd1d1147b845b346aeb6dae7ded7aa269163472a06b2516bc224a86d64940bc009d65
-
Filesize
189B
MD5054319e0976a05e18b0218f63bf57d9d
SHA13b6b9aed46dd9590d2ad06a72082e35ecbed829b
SHA2568b633af759450256ef78656954933f6c81c3039798fe623fe34d4a56feb8d123
SHA51224a5af58c81bf286c565b39012317771a87c5f67d49a2f322becc9e7a3a5db2240b0e98108418ba8981ed2fd5a1e7171658030607c359c8c374c467b7bffbcae
-
Filesize
498B
MD5f12b60a1e6b71dc6377e698cafb960e2
SHA1601694c10cdb76638e53859e09f8fa0bfb1b8625
SHA2561602f10c43649d4e28357446321b36df58ed40f3692b4ce833125cdb3eccaaf4
SHA5120e8185e77a0a057d6cd20f74a759cc0a1aba24ca9a5fcab5f0b252105631ebe4b58767809862e4db64665ebd19069992acbf02d588a0a643b83fee75df2519ac
-
Filesize
115KB
MD50e6ce768bbd53a3d303875d08c76b8a8
SHA1fc4dfa831b76433c1b6fb5950045a53ccd1f246d
SHA256e237cf416742a3d5619bf7c92eb5df3e7ddf852ed2b94a3fa756af75679b9253
SHA512b0e2405779a029fe44bbca4b65fbf06d964cf96ffaa4886045e99a08690cd398d1d4978ba485cf465e4c8e6dd8c58f5deb8d53cdc55e956491433d3046885a69
-
Filesize
156B
MD51e67264fbc9eb77c6b6586690dd59983
SHA11f092df75aea35d73f91cf38c3714cfb8f8bd3bc
SHA256a89739b55abf4bbb145d582bcf9a8825962be4ee0340cf1ef1221dd4af764535
SHA512feabae1315e59b55bc820b6393004efbb14076f3550d1789835dd0b2c3f1dca25e839ab53885103d70692981b49f45377d437f218510bfa38cb8820de41b3dcf