ad2d9e9ccf4071b62734a41e10deb2f488aa6991b24eb4d291bed295a83fd3d7

Analysis

max time kernel
2s
max time network
12s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe
Size

255KB
MD5

d006bac7387f1928c1ce6b8a26605311
SHA1

2bfc6117f49fdc4e01e41057eb9433aa8d3e3052
SHA256

ad2d9e9ccf4071b62734a41e10deb2f488aa6991b24eb4d291bed295a83fd3d7
SHA512

477686222adb487030904d4c405155ce125366a41e13cee9a76253947faf5b3f8002d45bc6f1567f8ecd19b68c73b5dc8c2cd76df21daabc82ec6ab7277978b0
SSDEEP

6144:YoTf1YERoTf1YEzoTf1Y06Ifn8xAfIn2uR:YoTfDRoTf7zoTf7rn8egn2u

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!2774.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!24995.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!29035.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!22254.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!18579.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!19116.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!27690.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!12360.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!25512.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!9461.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!4013.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!21525.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!17024.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10051.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!4122.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!12263.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-!15873.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10044.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0W4-e!10047.exe	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2896	2b2t.exe
2836	Queue.exe
2660	Queue.exe
1324	Queue.exe
2748	Queue.exe
828	Queue.exe
3008	Queue.exe
836	Queue.exe
696	Queue.exe
544	Queue.exe
2368	Queue.exe
904	Queue.exe
2152	Queue.exe
408	Queue.exe
1936	Queue.exe
2552	Queue.exe
1756	Queue.exe
2844	Queue.exe
2712	Queue.exe
2008	Queue.exe
2220	Queue.exe
1192	Queue.exe
1624	Queue.exe
1612	Queue.exe
1516	Queue.exe
3000	Queue.exe
1804	Queue.exe
1848	Queue.exe
1708	Queue.exe
2816	Queue.exe
784	Queue.exe
2964	Queue.exe
2636	Queue.exe
1404	Queue.exe
1768	Queue.exe
2244	Queue.exe
444	Queue.exe
1032	Queue.exe
1604	Queue.exe
3128	Queue.exe
3120	Queue.exe
3284	Queue.exe
3292	Queue.exe
3316	Queue.exe
3372	Queue.exe
3744	Queue.exe
3736	Queue.exe
3848	Queue.exe
3856	Queue.exe
3908	Queue.exe
3900	Queue.exe
4060	Queue.exe
4052	Queue.exe
3396	Queue.exe
3324	Queue.exe
3412	Queue.exe
3596	Queue.exe
3604	Queue.exe
3380	Queue.exe
3404	Queue.exe
3364	Queue.exe
3724	Queue.exe
3792	Queue.exe
4008	Queue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b2t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Queue.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2800	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2800	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
2896	2b2t.exe
2836	Queue.exe
2660	Queue.exe
1324	Queue.exe
2748	Queue.exe
828	Queue.exe
3008	Queue.exe
696	Queue.exe
836	Queue.exe
544	Queue.exe
2152	Queue.exe
2368	Queue.exe
408	Queue.exe
904	Queue.exe
1936	Queue.exe
2552	Queue.exe
1756	Queue.exe
2844	Queue.exe
2712	Queue.exe
2008	Queue.exe
2220	Queue.exe
1192	Queue.exe
1624	Queue.exe
1612	Queue.exe
1516	Queue.exe
3000	Queue.exe
1804	Queue.exe
1848	Queue.exe
1708	Queue.exe
784	Queue.exe
2816	Queue.exe
2964	Queue.exe
2636	Queue.exe
1404	Queue.exe
2244	Queue.exe
1768	Queue.exe
444	Queue.exe
1032	Queue.exe
1604	Queue.exe
3128	Queue.exe
3120	Queue.exe
3284	Queue.exe
3292	Queue.exe
3316	Queue.exe
3372	Queue.exe
3324	Queue.exe
3404	Queue.exe
3396	Queue.exe
3364	Queue.exe
3380	Queue.exe
3412	Queue.exe
3736	Queue.exe
3744	Queue.exe
3848	Queue.exe
3856	Queue.exe
3900	Queue.exe
3908	Queue.exe
4052	Queue.exe
4060	Queue.exe
3596	Queue.exe
3604	Queue.exe
3724	Queue.exe
3792	Queue.exe
4008	Queue.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1572	2380	d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1572	2380	d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1572	2380	d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1572	2380	d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe	30
PID 1572 wrote to memory of 2896	1572	cmd.exe	32
PID 1572 wrote to memory of 2896	1572	cmd.exe	32
PID 1572 wrote to memory of 2896	1572	cmd.exe	32
PID 1572 wrote to memory of 2896	1572	cmd.exe	32
PID 1572 wrote to memory of 2800	1572	cmd.exe	33
PID 1572 wrote to memory of 2800	1572	cmd.exe	33
PID 1572 wrote to memory of 2800	1572	cmd.exe	33
PID 2896 wrote to memory of 2900	2896	2b2t.exe	34
PID 2896 wrote to memory of 2900	2896	2b2t.exe	34
PID 2896 wrote to memory of 2900	2896	2b2t.exe	34
PID 2896 wrote to memory of 2900	2896	2b2t.exe	34
PID 2900 wrote to memory of 2836	2900	cmd.exe	36
PID 2900 wrote to memory of 2836	2900	cmd.exe	36
PID 2900 wrote to memory of 2836	2900	cmd.exe	36
PID 2900 wrote to memory of 2836	2900	cmd.exe	36
PID 2836 wrote to memory of 2732	2836	Queue.exe	37
PID 2836 wrote to memory of 2732	2836	Queue.exe	37
PID 2836 wrote to memory of 2732	2836	Queue.exe	37
PID 2836 wrote to memory of 2732	2836	Queue.exe	37
PID 2732 wrote to memory of 2660	2732	cmd.exe	39
PID 2732 wrote to memory of 2660	2732	cmd.exe	39
PID 2732 wrote to memory of 2660	2732	cmd.exe	39
PID 2732 wrote to memory of 2660	2732	cmd.exe	39
PID 2732 wrote to memory of 1324	2732	cmd.exe	40
PID 2732 wrote to memory of 1324	2732	cmd.exe	40
PID 2732 wrote to memory of 1324	2732	cmd.exe	40
PID 2732 wrote to memory of 1324	2732	cmd.exe	40
PID 2900 wrote to memory of 2748	2900	cmd.exe	41
PID 2900 wrote to memory of 2748	2900	cmd.exe	41
PID 2900 wrote to memory of 2748	2900	cmd.exe	41
PID 2900 wrote to memory of 2748	2900	cmd.exe	41
PID 2660 wrote to memory of 2804	2660	Queue.exe	42
PID 2660 wrote to memory of 2804	2660	Queue.exe	42
PID 2660 wrote to memory of 2804	2660	Queue.exe	42
PID 2660 wrote to memory of 2804	2660	Queue.exe	42
PID 1324 wrote to memory of 2972	1324	Queue.exe	44
PID 1324 wrote to memory of 2972	1324	Queue.exe	44
PID 1324 wrote to memory of 2972	1324	Queue.exe	44
PID 1324 wrote to memory of 2972	1324	Queue.exe	44
PID 2748 wrote to memory of 2776	2748	Queue.exe	45
PID 2748 wrote to memory of 2776	2748	Queue.exe	45
PID 2748 wrote to memory of 2776	2748	Queue.exe	45
PID 2748 wrote to memory of 2776	2748	Queue.exe	45
PID 2900 wrote to memory of 828	2900	cmd.exe	47
PID 2900 wrote to memory of 828	2900	cmd.exe	47
PID 2900 wrote to memory of 828	2900	cmd.exe	47
PID 2900 wrote to memory of 828	2900	cmd.exe	47
PID 2804 wrote to memory of 3008	2804	cmd.exe	49
PID 2804 wrote to memory of 3008	2804	cmd.exe	49
PID 2804 wrote to memory of 3008	2804	cmd.exe	49
PID 2804 wrote to memory of 3008	2804	cmd.exe	49
PID 2804 wrote to memory of 696	2804	cmd.exe	50
PID 2804 wrote to memory of 696	2804	cmd.exe	50
PID 2804 wrote to memory of 696	2804	cmd.exe	50
PID 2804 wrote to memory of 696	2804	cmd.exe	50
PID 2900 wrote to memory of 836	2900	cmd.exe	51
PID 2900 wrote to memory of 836	2900	cmd.exe	51
PID 2900 wrote to memory of 836	2900	cmd.exe	51
PID 2900 wrote to memory of 836	2900	cmd.exe	51
PID 828 wrote to memory of 2412	828	Queue.exe	52

C:\Users\Admin\AppData\Local\Temp\d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\A7C5.bat C:\Users\Admin\AppData\Local\Temp\d006bac7387f1928c1ce6b8a26605311_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\2b2t.exe
    2b2t.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A841.tmp\A842.bat C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\2b2t.exe"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A89E.tmp\A8AF.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        6⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A8EC.tmp\A8ED.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        8⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A94A.tmp\A94B.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        10⤵
        Drops startup file
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB1E.tmp\AB3E.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF23.tmp\AF24.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF33.tmp\AF34.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAC1.tmp\AAD1.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AEBC.tmp\AEB7.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6320
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B4BF.tmp\B4C0.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6332
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B4FE.tmp\B4FE.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3792
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AEBA.tmp\AEB7.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6384
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B4DE.tmp\B4DF.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6468
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B4ED.tmp\B4FE.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A989.tmp\A989.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        10⤵
        Drops startup file
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAE0.tmp\AB00.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3596
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE8A.tmp\AE88.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3F5.tmp\B3F5.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B451.tmp\B491.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE87.tmp\AE88.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6356
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B4FD.tmp\B4FE.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6492
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B502.tmp\B4FE.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1624
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AADF.tmp\AB0F.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD9E.tmp\AD9E.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5684
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B348.tmp\B349.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5700
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B349.tmp\B349.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3744
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD9D.tmp\AD9E.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3F8.tmp\B3F5.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5220
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B480.tmp\B491.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A90B.tmp\A90C.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        8⤵
        Drops startup file
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9B7.tmp\A9B8.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        10⤵
        Drops startup file
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:784
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABD9.tmp\ABDA.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADCC.tmp\ADCD.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B427.tmp\B424.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3F9.tmp\B3F5.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3856
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADCD.tmp\ADCD.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B31A.tmp\B31A.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B319.tmp\B31A.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABDA.tmp\ABDA.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AED5.tmp\AED6.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6728
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B53B.tmp\B53C.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6744
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B53C.tmp\B53C.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AED6.tmp\AED6.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:904
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A98C.tmp\A989.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        10⤵
        Drops startup file
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAA1.tmp\AAA2.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE2A.tmp\AE2B.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B403.tmp\B404.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5204
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3FC.tmp\B3F5.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE1A.tmp\AE1B.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5252
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3FE.tmp\B3F5.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5260
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B423.tmp\B424.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB2D.tmp\AB3E.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        12⤵
        Drops startup file
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADEB.tmp\ADEC.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3A6.tmp\B3B6.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5744
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3B6.tmp\B3B6.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADDC.tmp\ADDD.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        14⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:6108
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3F4.tmp\B3F5.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        15⤵
        
        PID:5196
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B424.tmp\B424.bat C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe"
        16⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        
        C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe
        17⤵
        
        PID:6992
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A90C.tmp\A90C.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:2776
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9A7.tmp\A9A8.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:1136
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC17.tmp\AC18.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:2320
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AFB0.tmp\AFB1.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        Drops startup file
        
        PID:4560
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:4836
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:1532
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4544
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B174.tmp\B175.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:5024
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6376
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6912
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC27.tmp\AC38.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:548
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AFB1.tmp\AFB1.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        Drops startup file
        
        PID:4604
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:4636
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6452
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4588
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B1A3.tmp\B1A4.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:5164
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:1384
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6732
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A988.tmp\A989.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:2648
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC18.tmp\AC18.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:2304
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AEB6.tmp\AEB7.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        Drops startup file
        
        PID:4476
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:4148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B3B5.tmp\B3B6.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        14⤵
        
        PID:7032
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6956
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0B9.tmp\B0BA.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:4444
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:5928
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6952
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD21.tmp\AD22.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:3444
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4536
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B145.tmp\B146.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:4832
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6304
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:4376
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4272
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A93A.tmp\A93B.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:2412
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ACC3.tmp\ACC4.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:3336
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:3580
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B06B.tmp\B06C.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:4948
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:5392
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6804
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2FA.tmp\B2FB.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:6400
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6788
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6352
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD7E.tmp\AD7F.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:3388
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B28D.tmp\B28E.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5840
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6776
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:2120
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5876
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:836
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A959.tmp\A95A.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:2404
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AA53.tmp\AA54.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:2156
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AC94.tmp\AC95.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:3172
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B02E.tmp\B02E.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:4784
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:5224
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6720
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B220.tmp\B221.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:5288
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6524
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:3668
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD60.tmp\AD60.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:3704
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B240.tmp\B240.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:5536
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6516
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        13⤵
        
        PID:6896
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:5364
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AA72.tmp\AA83.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:2116
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE59.tmp\AE5A.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        Drops startup file
        
        PID:4256
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B30A.tmp\B30B.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        12⤵
        
        PID:6092
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6364
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0D9.tmp\B0D9.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:4648
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6408
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6828
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:544
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A979.tmp\A989.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:984
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADAD.tmp\ADAE.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:4116
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B27D.tmp\B27E.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5756
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6784
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:1100
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5636
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0A9.tmp\B0AA.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:4224
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5616
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6820
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1936
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9D7.tmp\A9D7.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:3064
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD63.tmp\AD60.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:4044
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4760
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B230.tmp\B230.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5432
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6512
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:3776
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5372
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:3656
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B08A.tmp\B08B.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:5076
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5476
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6796
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2552
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9D6.tmp\A9D7.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:1964
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ACB3.tmp\ACB4.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:3196
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B01D.tmp\B01E.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:4708
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:5212
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:2380
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B221.tmp\B221.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5332
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6540
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6744
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD5F.tmp\AD60.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:3680
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B241.tmp\B240.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5580
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6644
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:4280
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5384
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1756
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AA15.tmp\AA16.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:1500
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ACA4.tmp\ACA5.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:3152
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B031.tmp\B02E.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:4876
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:5276
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6848
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5628
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6740
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:3628
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD64.tmp\AD60.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:3216
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B23F.tmp\B240.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:5504
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6488
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        11⤵
        
        PID:6968
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5404
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2844
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAA2.tmp\AAC1.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:1308
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE97.tmp\AE98.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:4400
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B367.tmp\B368.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:6220
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6096
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:4200
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0D8.tmp\B0D9.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:4572
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5948
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6812
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2712
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAB1.tmp\AAC1.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:3052
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AEB7.tmp\AEB7.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:4460
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B31C.tmp\B31A.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:7120
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:7080
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0E8.tmp\B0E9.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:4892
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:7136
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:7048
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1848
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AAC0.tmp\AAD1.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:2780
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3412
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE88.tmp\AE88.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        Drops startup file
        
        PID:4384
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B396.tmp\B3D6.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        10⤵
        
        PID:7024
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:7128
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0E9.tmp\B0F8.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:5004
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:7144
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6980
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:444
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ACB4.tmp\ACB4.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:3232
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B02D.tmp\B02E.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:4816
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:5236
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6768
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:4728
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B22F.tmp\B230.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:5420
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6528
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4312
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3324
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE5A.tmp\AE5A.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        Drops startup file
        
        PID:4232
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2BC.tmp\B2BD.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        8⤵
        
        PID:6020
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:6712
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        9⤵
        
        PID:4028
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:5940
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4360
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B107.tmp\B108.bat "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe""
        6⤵
        
        PID:5100
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:6048
        
        C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        "C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe"
        7⤵
        
        PID:7008
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5036
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6424
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6908
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5916
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2800
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6088
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4528
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5728
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5308
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6116
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6928
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5360
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6224
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6264
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6056
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6448
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5236
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5880
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4576
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6832
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6664
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6336
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6440
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4088
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6860
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:7108
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1628
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5496
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6560
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6816
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5080
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1808
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3632
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4016
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3088
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5016
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5108
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2188
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2392
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4812
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6524
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4356
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2256
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4052
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2028
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2444
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:872
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6788
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4416
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4832
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3468
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5812
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5520
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5648
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5304
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6348
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2692
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3252
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4736
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:400
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:7160
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3288
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4916
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4320
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6400
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3188
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3388
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3168
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3328
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1500
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:932
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5796
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:984
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5412
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5712
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6004
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1516
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6124
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5676
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5216
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2300
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4628
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6308
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6316
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3424
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4792
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5456
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6852
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6844
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6708
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3984
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6360
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4020
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:7112
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3892
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1384
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3104
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3116
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6604
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4104
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3664
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2808
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5008
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3636
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2668
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3560
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3580
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6644
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3896
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5048
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3516
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2500
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1612
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2744
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1632
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2972
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5572
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3472
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5164
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2660
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2824
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3464
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1100
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6480
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4904
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2128
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2320
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3728
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4680
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4932
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3276
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4140
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4264
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1828
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1812
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3124
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:1544
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3064
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5832
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:2156
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5724
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6040
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6028
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3808
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6964
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:3784
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6000
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5744
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5212
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5616
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:5392
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6252
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:4920
    - - C:\Users\Admin\Start Menu\Programs\Startup\Queue.exe
        
        Queue.exe
        5⤵
        
        PID:6588
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2800
- - C:\Windows\system32\shutdown.exe
    shutdown.exe /s /t 00
    3⤵
    PID:5920

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:6284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:6884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\2b2t.exe

Filesize
185KB

MD5
36e73597948fbbcc8c1ee1c09068e1dc

SHA1
2143fd9e0cb82f4b51494c245855d405fc092ff0

SHA256
3ab4f96969c5b663203d19d7b4dc0f91d31bd65bc7662fecc37f7b788fe74985

SHA512
cb868d04217ed3a54bcab674d0f0718f5bb71e148824080799816b924f4dd1d1147b845b346aeb6dae7ded7aa269163472a06b2516bc224a86d64940bc009d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7C4.tmp\A7C5.bat

Filesize
189B

MD5
054319e0976a05e18b0218f63bf57d9d

SHA1
3b6b9aed46dd9590d2ad06a72082e35ecbed829b

SHA256
8b633af759450256ef78656954933f6c81c3039798fe623fe34d4a56feb8d123

SHA512
24a5af58c81bf286c565b39012317771a87c5f67d49a2f322becc9e7a3a5db2240b0e98108418ba8981ed2fd5a1e7171658030607c359c8c374c467b7bffbcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\A841.tmp\A842.bat

Filesize
498B

MD5
f12b60a1e6b71dc6377e698cafb960e2

SHA1
601694c10cdb76638e53859e09f8fa0bfb1b8625

SHA256
1602f10c43649d4e28357446321b36df58ed40f3692b4ce833125cdb3eccaaf4

SHA512
0e8185e77a0a057d6cd20f74a759cc0a1aba24ca9a5fcab5f0b252105631ebe4b58767809862e4db64665ebd19069992acbf02d588a0a643b83fee75df2519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\A841.tmp\Queue.exe

Filesize
115KB

MD5
0e6ce768bbd53a3d303875d08c76b8a8

SHA1
fc4dfa831b76433c1b6fb5950045a53ccd1f246d

SHA256
e237cf416742a3d5619bf7c92eb5df3e7ddf852ed2b94a3fa756af75679b9253

SHA512
b0e2405779a029fe44bbca4b65fbf06d964cf96ffaa4886045e99a08690cd398d1d4978ba485cf465e4c8e6dd8c58f5deb8d53cdc55e956491433d3046885a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\A89E.tmp\A8AF.bat

Filesize
156B

MD5
1e67264fbc9eb77c6b6586690dd59983

SHA1
1f092df75aea35d73f91cf38c3714cfb8f8bd3bc

SHA256
a89739b55abf4bbb145d582bcf9a8825962be4ee0340cf1ef1221dd4af764535

SHA512
feabae1315e59b55bc820b6393004efbb14076f3550d1789835dd0b2c3f1dca25e839ab53885103d70692981b49f45377d437f218510bfa38cb8820de41b3dcf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads