84240b61fb4a30cca25fc22a0db5122c3a3fa309941f781722d0e20bd0ec6b22

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fddfa09c8ade37e262b763f0a53102.exe
Size

92KB
MD5

75fddfa09c8ade37e262b763f0a53102
SHA1

6d43c070536ee79a1670152e2a62f182603f8a45
SHA256

84240b61fb4a30cca25fc22a0db5122c3a3fa309941f781722d0e20bd0ec6b22
SHA512

0d5f05b6c92757a89f630c20a7757501ed94001074db10cbf53f88d0a36891ba1beff9283b8c727629bfa4cdb8362623ce4e3b43fcaff14ff9108452d8869727
SSDEEP

384:ljypOzXRbzgcRGxRkJ2vDHUK+5pxQVjIJ:1icRGby2YK8QS

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File created	C:\Windows\SysWOW64\drivers\Hev32.sys	75fddfa09c8ade37e262b763f0a53102.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\drivers\Hev32.sys	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3344	MMHADPQG1102.exe
744	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
348	MMHADPQG1102.exe
3180	attrib.exe
4372	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2140	MMHADPQG1102.exe
2760	MMHADPQG1102.exe
3148	Conhost.exe
3496	MMHADPQG1102.exe
5040	MMHADPQG1102.exe
4864	MMHADPQG1102.exe
456	MMHADPQG1102.exe
2132	MMHADPQG1102.exe
4828	Process not Found
4856	MMHADPQG1102.exe
2216	Process not Found
3160	cmd.exe
3880	Process not Found
2756	Process not Found
2296	attrib.exe
2796	MMHADPQG1102.exe
3464	MMHADPQG1102.exe
5108	MMHADPQG1102.exe
1432	Conhost.exe
4864	MMHADPQG1102.exe
1588	Conhost.exe
4488	Process not Found
4744	Process not Found
5020	Process not Found
3460	Process not Found
1276	Process not Found
4544	Process not Found
3060	MMHADPQG1102.exe
3460	Process not Found
3524	Process not Found
2216	Process not Found
5136	Process not Found
5260	MMHADPQG1102.exe
5332	Process not Found
5404	Process not Found
5568	Process not Found
5668	Process not Found
5756	Process not Found
5872	Process not Found
5952	Process not Found
6052	Process not Found
6124	Conhost.exe
2756	Process not Found
5328	MMHADPQG1102.exe
5332	Process not Found
5624	Process not Found
5880	Process not Found
3240	Process not Found
6124	Conhost.exe
5492	MMHADPQG1102.exe
1276	Process not Found
5152	Conhost.exe
4856	MMHADPQG1102.exe
6060	MMHADPQG1102.exe
5452	MMHADPQG1102.exe
6280	MMHADPQG1102.exe
6360	MMHADPQG1102.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	MMHADPQG1102.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\MMHADPQG1102.exe	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
1700	75fddfa09c8ade37e262b763f0a53102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
3344	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
744	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
3764	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
348	MMHADPQG1102.exe
3180	attrib.exe
3180	attrib.exe
3180	attrib.exe
3180	attrib.exe
3180	attrib.exe
3180	attrib.exe
3180	attrib.exe
3180	attrib.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
4372	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe
2128	MMHADPQG1102.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3344	1700	75fddfa09c8ade37e262b763f0a53102.exe	84
PID 1700 wrote to memory of 3344	1700	75fddfa09c8ade37e262b763f0a53102.exe	84
PID 1700 wrote to memory of 3344	1700	75fddfa09c8ade37e262b763f0a53102.exe	84
PID 1700 wrote to memory of 4256	1700	75fddfa09c8ade37e262b763f0a53102.exe	85
PID 1700 wrote to memory of 4256	1700	75fddfa09c8ade37e262b763f0a53102.exe	85
PID 1700 wrote to memory of 4256	1700	75fddfa09c8ade37e262b763f0a53102.exe	85
PID 3344 wrote to memory of 744	3344	MMHADPQG1102.exe	87
PID 3344 wrote to memory of 744	3344	MMHADPQG1102.exe	87
PID 3344 wrote to memory of 744	3344	MMHADPQG1102.exe	87
PID 3344 wrote to memory of 2312	3344	MMHADPQG1102.exe	86
PID 3344 wrote to memory of 2312	3344	MMHADPQG1102.exe	86
PID 3344 wrote to memory of 2312	3344	MMHADPQG1102.exe	86
PID 744 wrote to memory of 3764	744	MMHADPQG1102.exe	104
PID 744 wrote to memory of 3764	744	MMHADPQG1102.exe	104
PID 744 wrote to memory of 3764	744	MMHADPQG1102.exe	104
PID 744 wrote to memory of 2360	744	MMHADPQG1102.exe	90
PID 744 wrote to memory of 2360	744	MMHADPQG1102.exe	90
PID 744 wrote to memory of 2360	744	MMHADPQG1102.exe	90
PID 3764 wrote to memory of 348	3764	MMHADPQG1102.exe	103
PID 3764 wrote to memory of 348	3764	MMHADPQG1102.exe	103
PID 3764 wrote to memory of 348	3764	MMHADPQG1102.exe	103
PID 3764 wrote to memory of 4476	3764	MMHADPQG1102.exe	91
PID 3764 wrote to memory of 4476	3764	MMHADPQG1102.exe	91
PID 3764 wrote to memory of 4476	3764	MMHADPQG1102.exe	91
PID 348 wrote to memory of 3180	348	MMHADPQG1102.exe	157
PID 348 wrote to memory of 3180	348	MMHADPQG1102.exe	157
PID 348 wrote to memory of 3180	348	MMHADPQG1102.exe	157
PID 348 wrote to memory of 4884	348	MMHADPQG1102.exe	92
PID 348 wrote to memory of 4884	348	MMHADPQG1102.exe	92
PID 348 wrote to memory of 4884	348	MMHADPQG1102.exe	92
PID 3180 wrote to memory of 4372	3180	attrib.exe	93
PID 3180 wrote to memory of 4372	3180	attrib.exe	93
PID 3180 wrote to memory of 4372	3180	attrib.exe	93
PID 3180 wrote to memory of 3832	3180	attrib.exe	98
PID 3180 wrote to memory of 3832	3180	attrib.exe	98
PID 3180 wrote to memory of 3832	3180	attrib.exe	98
PID 4372 wrote to memory of 2128	4372	MMHADPQG1102.exe	94
PID 4372 wrote to memory of 2128	4372	MMHADPQG1102.exe	94
PID 4372 wrote to memory of 2128	4372	MMHADPQG1102.exe	94
PID 4372 wrote to memory of 2428	4372	MMHADPQG1102.exe	95
PID 4372 wrote to memory of 2428	4372	MMHADPQG1102.exe	95
PID 4372 wrote to memory of 2428	4372	MMHADPQG1102.exe	95
PID 2128 wrote to memory of 2140	2128	MMHADPQG1102.exe	128
PID 2128 wrote to memory of 2140	2128	MMHADPQG1102.exe	128
PID 2128 wrote to memory of 2140	2128	MMHADPQG1102.exe	128
PID 2128 wrote to memory of 4880	2128	MMHADPQG1102.exe	127
PID 2128 wrote to memory of 4880	2128	MMHADPQG1102.exe	127
PID 2128 wrote to memory of 4880	2128	MMHADPQG1102.exe	127
PID 2140 wrote to memory of 2760	2140	MMHADPQG1102.exe	105
PID 2140 wrote to memory of 2760	2140	MMHADPQG1102.exe	105
PID 2140 wrote to memory of 2760	2140	MMHADPQG1102.exe	105
PID 2140 wrote to memory of 1020	2140	MMHADPQG1102.exe	126
PID 2140 wrote to memory of 1020	2140	MMHADPQG1102.exe	126
PID 2140 wrote to memory of 1020	2140	MMHADPQG1102.exe	126
PID 2760 wrote to memory of 3148	2760	MMHADPQG1102.exe	174
PID 2760 wrote to memory of 3148	2760	MMHADPQG1102.exe	174
PID 2760 wrote to memory of 3148	2760	MMHADPQG1102.exe	174
PID 2760 wrote to memory of 2112	2760	MMHADPQG1102.exe	107
PID 2760 wrote to memory of 2112	2760	MMHADPQG1102.exe	107
PID 2760 wrote to memory of 2112	2760	MMHADPQG1102.exe	107
PID 3148 wrote to memory of 3496	3148	Conhost.exe	124
PID 3148 wrote to memory of 3496	3148	Conhost.exe	124
PID 3148 wrote to memory of 3496	3148	Conhost.exe	124
PID 3148 wrote to memory of 2848	3148	Conhost.exe	122

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
9324	attrib.exe
12488	Process not Found
4980	attrib.exe
8236	Process not Found
4960	Process not Found
12644	attrib.exe
10876	Process not Found
12668	Process not Found
7740	attrib.exe
12176	attrib.exe
7848	attrib.exe
11792	Process not Found
10952	Process not Found
4756	Process not Found
8016	attrib.exe
11472	attrib.exe
11648	attrib.exe
10056	Process not Found
13408	attrib.exe
10888	Process not Found
9100	Process not Found
12512	attrib.exe
10256	Process not Found
12804	Process not Found
11904	Process not Found
9184	attrib.exe
9724	attrib.exe
12716	attrib.exe
6128	attrib.exe
4436	attrib.exe
4960	attrib.exe
7024	attrib.exe
13036	Process not Found
8500	Process not Found
8540	Process not Found
11480	Process not Found
2784	Process not Found
5444	Process not Found
6612	Process not Found
13084	attrib.exe
14200	Process not Found
10868	Process not Found
7152	Process not Found
7384	Process not Found
9068	Process not Found
5544	Process not Found
8884	Process not Found
8084	Process not Found
10708	attrib.exe
14264	Process not Found
10704	Process not Found
9728	attrib.exe
12140	Process not Found
14024	Process not Found
7632	Process not Found
10968	Process not Found
12796	Process not Found
13836	Process not Found
14064	Process not Found
10276	Process not Found
6528	attrib.exe
6252	attrib.exe
11180	attrib.exe
8160	Process not Found

C:\Users\Admin\AppData\Local\Temp\75fddfa09c8ade37e262b763f0a53102.exe
"C:\Users\Admin\AppData\Local\Temp\75fddfa09c8ade37e262b763f0a53102.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240611718.bat
    3⤵
    PID:2312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13148
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:11904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:13084
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240611765.bat
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:6212
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:6944
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:8500
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:7408
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:9588
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:11152
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240611671.bat
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\75fddfa09c8ade37e262b763f0a53102.exe" -r -a -s -h
    3⤵
    PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240611796.bat
1⤵
PID:4476
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3180
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6688
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:8016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8516
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11620
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240611843.bat
1⤵
PID:4884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:4436
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:3412
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6856
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7432
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8692
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5284
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8908
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12900
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12260

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240612015.bat
    3⤵
    PID:4880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:3372
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:7176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13404
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240611921.bat
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:4980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:6128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6248
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:11812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13680
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7856
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7432
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10496
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13384
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:13868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240638906.bat
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:14260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240611875.bat
1⤵
PID:3832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:660
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:2784
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:1264
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:3440
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5448
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:744
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8832
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8436
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9396
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9692
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12368

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:3180

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240612156.bat
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:5808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:5284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:7380
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10908
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:4412
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13956
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Executes dropped EXE
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240612109.bat
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6452
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240623265.bat
      4⤵
      PID:9436
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:13240
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:9412
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11144
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:11988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240612312.bat
1⤵
PID:2320
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:4976
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8360
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:4164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9996
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13660

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Executes dropped EXE
PID:456
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240612609.bat
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:8152
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:8828
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:8208
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:11400
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:10744
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:13288
    - - C:\Windows\SysWOW64\MMHADPQG1102.exe
        
        C:\Windows\system32\MMHADPQG1102.exe
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240614937.bat
        6⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240618046.bat
        8⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        9⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        9⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        9⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240634250.bat
        8⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\MMHADPQG1102.exe
        
        C:\Windows\system32\MMHADPQG1102.exe
        8⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:14276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240612593.bat
      4⤵
      PID:3952
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:6712
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:6228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240619859.bat
        6⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:9816
      - C:\Windows\SysWOW64\MMHADPQG1102.exe
        
        C:\Windows\system32\MMHADPQG1102.exe
        6⤵
        
        PID:7216
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:6912
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:9208
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:3548
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:9184
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:8616
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:10668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240612500.bat
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6140
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:7384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:7848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12404
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240612390.bat
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8268
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11168
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240612265.bat
1⤵
PID:4824
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:2464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:1160
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6776
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8204
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9712

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240612203.bat
1⤵
PID:2764
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:1592
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Executes dropped EXE
    PID:5452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240616468.bat
      4⤵
      PID:6300
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:5140
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:7816
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:8880
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:9476
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:8932
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:12016
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:13156
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:8000
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:6280
    - - C:\Windows\SysWOW64\MMHADPQG1102.exe
        
        C:\Windows\system32\MMHADPQG1102.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:6360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240616593.bat
        6⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:6284
      - C:\Windows\SysWOW64\MMHADPQG1102.exe
        
        C:\Windows\system32\MMHADPQG1102.exe
        6⤵
        
        PID:6432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240616515.bat
        5⤵
        
        PID:6380
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:7240
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:9640
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:13284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240616390.bat
    3⤵
    PID:6156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13140
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:8628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9948
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11804
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11192
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12400

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240612062.bat
1⤵
PID:1020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:2356
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11324
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8624
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9980
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11364
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240612687.bat
1⤵
PID:4564
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:6528
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6284
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5236
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9616
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12664

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:3160
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240612796.bat
    3⤵
    PID:3332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6228
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8272
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240615593.bat
      4⤵
      PID:5256
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:6624
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:9084
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:10688
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:11940
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:12764
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:13544
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:10496
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:11732
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:12136
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240612750.bat
  2⤵
  PID:3248
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:5576
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7132
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8444
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240612875.bat
1⤵
PID:3172
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:4828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240616328.bat
    3⤵
    PID:5252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8316
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9376
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:11188
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:13176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12084
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Executes dropped EXE
    PID:6060
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5376
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6824
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7420
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7980
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8764
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9544
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9280
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12300
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13268
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:14080
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8096
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10900
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11692
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12784

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240612953.bat
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Executes dropped EXE
    PID:2296
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:896
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:7884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8412
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12156
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240625015.bat
        5⤵
        
        PID:9556
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:11092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:11852
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:10836
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:14088
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8332
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9624
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11260
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12936
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240613031.bat
    3⤵
    PID:1664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3148
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9356
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13472
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Executes dropped EXE
    PID:3464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240613062.bat
1⤵
PID:4456
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8856
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8744
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11988
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13056
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:12680

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:1432
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4864
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240614171.bat
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240636562.bat
        5⤵
        
        PID:13624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:11764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240613156.bat
  2⤵
  PID:316
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:4436
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6748
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7336
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10104
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10828
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240613109.bat
1⤵
PID:768
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7276
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10008
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9800
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12392
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12212
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12464

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240614328.bat
1⤵
PID:348
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240617156.bat
    3⤵
    PID:6100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8528
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:11324
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:6368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6592
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8016
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8452
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11936
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12844
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13628
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240614406.bat
1⤵
PID:1544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5304
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:2576
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10448
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240614453.bat
1⤵
PID:4984
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5504
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6168
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9240
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8392

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240614531.bat
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9660
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240614562.bat
1⤵
PID:648
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:4960
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5284
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12028

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Executes dropped EXE
PID:3060
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240614718.bat
  2⤵
  PID:908
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8168
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8416
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8724
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8724
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240614640.bat
1⤵
PID:1692
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4980
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8120
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8556
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9488
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4976

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240614984.bat
1⤵
PID:5292
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5376
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:3620
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615062.bat
1⤵
PID:5420
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:4472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8412
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9132
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11152
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615140.bat
1⤵
PID:5596
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6188
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7580
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615203.bat
1⤵
PID:5684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5968
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7980
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10204
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12980

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:5952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240615437.bat
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240619078.bat
      4⤵
      PID:7692
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:7740
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:10120
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:10880
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:11588
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6844
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9228
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240629484.bat
      4⤵
      PID:9532
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:12768
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:12768
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:13452
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:8820
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8392

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:6124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240615531.bat
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:7024
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8864
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11308
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615484.bat
1⤵
PID:3436
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:6252
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8500
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615671.bat
1⤵
PID:5500
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7104
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7332
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7704
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8724
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11724
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13232
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14180
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12900

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:5332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240615765.bat
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6248
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615812.bat
1⤵
PID:5804
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:6292
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8704
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9444
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12664
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14276

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240615953.bat
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:3160
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6568
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10704
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12568
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12864
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:6124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240616031.bat
    3⤵
    PID:3268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:6912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10136
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:5492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240615906.bat
1⤵
PID:1344
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5756
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8792
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240616093.bat
1⤵
PID:5712
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in Drivers directory
  PID:6660
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7244
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8956
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9940
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10564
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12904

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:1276
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:5152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240616187.bat
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11716
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:7848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240616640.bat
1⤵
PID:6572
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:1208
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11392
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12720

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240616812.bat
1⤵
PID:6892
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:6128
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8544
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8752
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13028

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:6864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240616921.bat
  2⤵
  PID:7056
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9468
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10592
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12852
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:7008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240617015.bat
    3⤵
    PID:7164
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:9208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:8236
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:11504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:11760
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:7148
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8208
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  PID:4028
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9632
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10052
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10872
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12364
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240616765.bat
1⤵
PID:6796
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7144
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8280
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11520
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14164

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Drops file in System32 directory
PID:6768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240616703.bat
1⤵
PID:6676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:5648
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8200

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:6660

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6616

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6608

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:6556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:5152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240616250.bat
  2⤵
  PID:5308
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:6776
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8736
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:12716
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Executes dropped EXE
  PID:4856

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Drops file in System32 directory
PID:5796

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:5236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240617218.bat
1⤵
PID:5840
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1592
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8556
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240617281.bat
1⤵
PID:5372
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7728
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8484
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10068
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9820
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10912

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:5504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240617359.bat
  2⤵
  PID:6136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:6124
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:7620
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12148
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:6884

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:5584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240617078.bat
1⤵
PID:5588
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7252
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7652
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9672
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10656
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11140
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13032

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240617671.bat
1⤵
- Drops file in Drivers directory
PID:5584
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7780
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8736
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13048
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14172

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Drops file in Drivers directory
PID:4508

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7240

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:7372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240618359.bat
1⤵
PID:7388
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:1208
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7872
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8932
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12428

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8028

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240618890.bat
1⤵
PID:6880
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10144
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10744
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:9532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240627406.bat
      4⤵
      PID:11076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240627906.bat
      4⤵
      PID:9728
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:8848
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:792
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:13300
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:8000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240628015.bat
        5⤵
        
        PID:8360
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:10728
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:9796
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        6⤵
        
        PID:12448
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:11804
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11436
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12776

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240619140.bat
1⤵
PID:7916
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7652
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240625250.bat
    3⤵
    PID:10224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:11276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:14112
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240619437.bat
1⤵
PID:7828
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8560
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7412
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10084
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9520
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240619671.bat
1⤵
PID:7208
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8620
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8604
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14316
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9948

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240619984.bat
1⤵
PID:5156
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11824

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:5812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240620109.bat
  2⤵
  PID:7084
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8168
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9988
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10124
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8008

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6508

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7408

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:5504

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240620328.bat
1⤵
PID:8296
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7044
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8516
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11496
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8340
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9400
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240620406.bat
1⤵
PID:8396
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8744
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240620578.bat
1⤵
PID:8684
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8848
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9332

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Drops file in System32 directory
PID:8668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8872

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:8372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240620843.bat
1⤵
PID:9200
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7244
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7676
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13104

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240620953.bat
  2⤵
  PID:8308
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8520
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11744
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13360
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:14012
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Drops file in Drivers directory
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240621046.bat
    3⤵
    PID:8120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13508
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:5404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7588

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Drops file in System32 directory
PID:7276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:5788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240621500.bat
1⤵
PID:7960
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11188
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12508

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:7720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240621593.bat
  2⤵
  PID:8552
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9516
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11476
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8392
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:4432

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8432

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:4036

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8456

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240621703.bat
1⤵
PID:8772
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9472
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11572
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:12644

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:8760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240621781.bat
  2⤵
  PID:8528
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9540
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:11908
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13552

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240621875.bat
1⤵
PID:9072
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240622187.bat
1⤵
- Drops file in System32 directory
PID:8544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Drops file in System32 directory
  PID:8760
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10176
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11708
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13956

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:8236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240622953.bat
1⤵
PID:8880
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6508
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:9324
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:9948
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8892
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11276
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623078.bat
1⤵
PID:8856
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9648
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12428
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623187.bat
1⤵
PID:9300
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9212
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10464
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14240

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9280

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9724

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
- Drops file in Drivers directory
PID:9772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240623609.bat
  2⤵
  PID:9920
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8196
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  - Drops file in Drivers directory
  PID:9904
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10280
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623703.bat
1⤵
PID:10076
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10184
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Views/modifies file attributes
  PID:12176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623984.bat
1⤵
PID:7292
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8392
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8932
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13376

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240624125.bat
1⤵
PID:6944
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13448

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240624234.bat
  2⤵
  PID:9904
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:10056
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:5772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240624312.bat
    3⤵
    PID:9308
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:10708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:13996
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    PID:9064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240624468.bat
      4⤵
      PID:9524
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:11180
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:11528
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:10700
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:9528
    - - C:\Windows\SysWOW64\MMHADPQG1102.exe
        
        C:\Windows\system32\MMHADPQG1102.exe
        5⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\e8d6936d240624703.bat
        6⤵
        
        PID:10096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        7⤵
        
        PID:12840

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9348
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10324
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8624

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8228

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8788

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10220

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8796

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9280

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623859.bat
1⤵
PID:8860
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11640
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10744

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:7480

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10212
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:8740
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14208

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623531.bat
1⤵
PID:9788
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9648
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:7884
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9732

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240623390.bat
1⤵
PID:9604
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10136
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9112
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12256

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9404

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240624796.bat
1⤵
- Drops file in Drivers directory
PID:5772
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12860
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9800

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:8196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240625703.bat
1⤵
PID:10172
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9316
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240625906.bat
1⤵
PID:10352
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11980
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9912
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240626421.bat
1⤵
PID:9064
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:9796
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:10696
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11828

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9692

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9780

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10328

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10764

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:9728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240626921.bat
1⤵
PID:9888
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12752
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10668

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:6856

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9044

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8412

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10696

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Drops file in System32 directory
PID:11672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240629000.bat
1⤵
PID:11164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:11360

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240629359.bat
1⤵
PID:12068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8236

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240629812.bat
1⤵
PID:11920
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:11648

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:12204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240629984.bat
  2⤵
  PID:11912
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:11472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240629578.bat
1⤵
PID:11272
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13368
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12292

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12096

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10664

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:10068

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8884

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10536

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:9468
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:12332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240630828.bat
    3⤵
    PID:12576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:7336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:10744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
      4⤵
      PID:12180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240630671.bat
  2⤵
  PID:12352
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    - Drops file in System32 directory
    PID:12752
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:13484
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:14092

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240630515.bat
1⤵
PID:11028
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13264

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12292

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12188

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240633171.bat
  2⤵
  PID:12172
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:12088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13108

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Drops file in System32 directory
PID:11644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240631312.bat
1⤵
PID:8812

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:13308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240631515.bat
  2⤵
  PID:11940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11104

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240632625.bat
  2⤵
  PID:13208
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:8904
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:12120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240631781.bat
1⤵
PID:10572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240632171.bat
1⤵
PID:11360
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:12772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9352

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12892

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12940

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13288

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:9724

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12584

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11144

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240637343.bat
  2⤵
  PID:12156

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240633375.bat
1⤵
PID:12656

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11924

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12344

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8236

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12904

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:9820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240634359.bat
1⤵
PID:10872
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:13512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11592

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11764

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:7608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:4300

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10592

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:10272
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:12488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\e8d6936d240634671.bat
    3⤵
    PID:10764
- - C:\Windows\SysWOW64\MMHADPQG1102.exe
    C:\Windows\system32\MMHADPQG1102.exe
    3⤵
    - Drops file in Drivers directory
    PID:12740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\e8d6936d240634781.bat
      4⤵
      PID:11916
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
        5⤵
        
        PID:14288
  - - C:\Windows\SysWOW64\MMHADPQG1102.exe
      C:\Windows\system32\MMHADPQG1102.exe
      4⤵
      PID:12600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240634531.bat
  2⤵
  PID:12484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11812

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240636078.bat
  2⤵
  PID:11800
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
    3⤵
    PID:10492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:11436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12448

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240634906.bat
1⤵
PID:13164
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
  2⤵
  PID:14148

C:\Windows\SysWOW64\MMHADPQG1102.exe
C:\Windows\system32\MMHADPQG1102.exe
1⤵
PID:8372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\e8d6936d240635093.bat
  2⤵
  PID:13476
- C:\Windows\SysWOW64\MMHADPQG1102.exe
  C:\Windows\system32\MMHADPQG1102.exe
  2⤵
  PID:13460

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:3820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11700

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13444

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13392

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12796

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240635484.bat
1⤵
PID:14140

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:14324

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:14332

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13012

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8372

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:12512

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12520

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13204

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:10184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240637156.bat
1⤵
PID:8848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13240

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12244

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13816

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13800

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11876

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12548

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:8412

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13492

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:14036

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:12224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\e8d6936d240638468.bat
1⤵
PID:13184

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
- Views/modifies file attributes
PID:13408

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:13688

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\MMHADPQG1102.exe" -r -a -s -h
1⤵
PID:11528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MMHADPQG1102.exe

Filesize
92KB

MD5
75fddfa09c8ade37e262b763f0a53102

SHA1
6d43c070536ee79a1670152e2a62f182603f8a45

SHA256
84240b61fb4a30cca25fc22a0db5122c3a3fa309941f781722d0e20bd0ec6b22

SHA512
0d5f05b6c92757a89f630c20a7757501ed94001074db10cbf53f88d0a36891ba1beff9283b8c727629bfa4cdb8362623ce4e3b43fcaff14ff9108452d8869727

Download Submit
C:\Windows\SysWOW64\drivers\Hev32.sys

Filesize
2KB

MD5
49e5be4875edfd0881aec4c6a32e3f37

SHA1
12b9d6aada3508d1bc60bcf2e5923f3621c10e9b

SHA256
8300e23556dcfce5ebc51424b804dab82877a01831a16e2302090921470aabff

SHA512
e9f41539525836c65d3289463d843de27e63fa261052b71cd8c775941728ad7494b893d6f67fcab1bf02248962dc0efe17dcaa7e6c9ab8ad0af0008e48d0ee04

Download Submit
C:\e8d6936d240611671.bat

Filesize
291B

MD5
aa85f000bf264df542f92c4eb569a3c3

SHA1
162d1bda9553ec52ce4d613fc2d71199028d0d8e

SHA256
544428dc2cd8b8ef12177ce706ae16e6b14d41ca5ab1083329f745630fba556a

SHA512
73b1bb3fe4bcdae302ca56008128dac8e7ca84a0e6bce08d61f16cb9844ecf8c8efee5e4ef7e8158dce4f739141563a0b89329c6a9338555ea050b72d283bfca

Download Submit
C:\e8d6936d240611796.bat

Filesize
189B

MD5
5b6f27330fa6bdc820fee6633cc000c8

SHA1
e9fa3e762e246e8d362328480c55cc265bf2d410

SHA256
22807e921958ae183417f52200d00771e3f5adce8e0ce7b6a93cca4ee745d837

SHA512
dd7f732321f49b1d4aadf5a11f6db296b216222fe86db5541041b8080efb85c168cf0d65777fc7fe6b5041881bc30f398119c974b22d8c074e46300043a1a37b

Download Submit