b1dcbb4cf406f2eccb068d66bbcde872eed6fa9a01efa7e4482439765c642336

Analysis

max time kernel
125s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe
Size

12KB
MD5

00b91c2dff15909d155af790006eafc1
SHA1

3dc0b66555d2bee7140f4a5e881c9b8d7b4587f3
SHA256

b1dcbb4cf406f2eccb068d66bbcde872eed6fa9a01efa7e4482439765c642336
SHA512

ca5d20481f499a1b40da7f5c63339d630cfe7113b406002c873c99dbfb0f49760711241b71e70a7bde848e9a0a708091b9189bcd38bc87294b59fa7c92a51d4f
SSDEEP

192:BIB1dGZwtPGa5Ux0IWb7GuBNDgIpTgV1emKZGxMYS+FBsXG9bh8UhkgUw9D:ByiwtPGo33b7GuXdRGA9W9bSFI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
440	ffCBDCBD1035.exe
5112	ffCBDCBD1035.exe
3860	ffCBDCBD1035.exe
1084	ffCBDCBD1035.exe
5116	ffCBDCBD1035.exe
1904	ffCBDCBD1035.exe
1252	ffCBDCBD1035.exe
3280	ffCBDCBD1035.exe
404	ffCBDCBD1035.exe
3172	ffCBDCBD1035.exe
4284	ffCBDCBD1035.exe
2576	ffCBDCBD1035.exe
1096	ffCBDCBD1035.exe
4656	ffCBDCBD1035.exe
1360	ffCBDCBD1035.exe
4992	ffCBDCBD1035.exe
1604	ffCBDCBD1035.exe
3296	ffCBDCBD1035.exe
1452	ffCBDCBD1035.exe
4696	ffCBDCBD1035.exe
5036	ffCBDCBD1035.exe
1200	ffCBDCBD1035.exe
4736	ffCBDCBD1035.exe
976	ffCBDCBD1035.exe
1360	ffCBDCBD1035.exe
3912	ffCBDCBD1035.exe
4356	ffCBDCBD1035.exe
4452	ffCBDCBD1035.exe
3096	ffCBDCBD1035.exe
3912	ffCBDCBD1035.exe
4004	ffCBDCBD1035.exe
5148	ffCBDCBD1035.exe
5248	ffCBDCBD1035.exe
5344	ffCBDCBD1035.exe
5408	ffCBDCBD1035.exe
5516	ffCBDCBD1035.exe
5648	ffCBDCBD1035.exe
5728	ffCBDCBD1035.exe
5824	ffCBDCBD1035.exe
5952	ffCBDCBD1035.exe
6036	ffCBDCBD1035.exe
6120	ffCBDCBD1035.exe
1032	ffCBDCBD1035.exe
5376	ffCBDCBD1035.exe
5492	ffCBDCBD1035.exe
5688	ffCBDCBD1035.exe
5852	ffCBDCBD1035.exe
5956	ffCBDCBD1035.exe
2984	ffCBDCBD1035.exe
3296	ffCBDCBD1035.exe
5628	ffCBDCBD1035.exe
5396	ffCBDCBD1035.exe
5712	ffCBDCBD1035.exe
5696	ffCBDCBD1035.exe
5272	ffCBDCBD1035.exe
6152	ffCBDCBD1035.exe
6288	ffCBDCBD1035.exe
6380	ffCBDCBD1035.exe
6432	ffCBDCBD1035.exe
6560	ffCBDCBD1035.exe
6620	ffCBDCBD1035.exe
6720	ffCBDCBD1035.exe
6892	ffCBDCBD1035.exe
7028	ffCBDCBD1035.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffCBDCBD1035.exe	Process not Found
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe
File created	C:\Windows\SysWOW64\ffCBDCBD1035.exe	ffCBDCBD1035.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
15176	13856	Process not Found	1674
11652	14920	Process not Found	1752

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1536	3068	00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe	89
PID 3068 wrote to memory of 1536	3068	00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe	89
PID 3068 wrote to memory of 1536	3068	00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe	89
PID 3068 wrote to memory of 440	3068	00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe	90
PID 3068 wrote to memory of 440	3068	00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe	90
PID 3068 wrote to memory of 440	3068	00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe	90
PID 440 wrote to memory of 4872	440	ffCBDCBD1035.exe	92
PID 440 wrote to memory of 4872	440	ffCBDCBD1035.exe	92
PID 440 wrote to memory of 4872	440	ffCBDCBD1035.exe	92
PID 440 wrote to memory of 5112	440	ffCBDCBD1035.exe	93
PID 440 wrote to memory of 5112	440	ffCBDCBD1035.exe	93
PID 440 wrote to memory of 5112	440	ffCBDCBD1035.exe	93
PID 5112 wrote to memory of 4912	5112	ffCBDCBD1035.exe	95
PID 5112 wrote to memory of 4912	5112	ffCBDCBD1035.exe	95
PID 5112 wrote to memory of 4912	5112	ffCBDCBD1035.exe	95
PID 5112 wrote to memory of 3860	5112	ffCBDCBD1035.exe	96
PID 5112 wrote to memory of 3860	5112	ffCBDCBD1035.exe	96
PID 5112 wrote to memory of 3860	5112	ffCBDCBD1035.exe	96
PID 3860 wrote to memory of 556	3860	ffCBDCBD1035.exe	97
PID 3860 wrote to memory of 556	3860	ffCBDCBD1035.exe	97
PID 3860 wrote to memory of 556	3860	ffCBDCBD1035.exe	97
PID 3860 wrote to memory of 1084	3860	ffCBDCBD1035.exe	98
PID 3860 wrote to memory of 1084	3860	ffCBDCBD1035.exe	98
PID 3860 wrote to memory of 1084	3860	ffCBDCBD1035.exe	98
PID 1084 wrote to memory of 2304	1084	ffCBDCBD1035.exe	101
PID 1084 wrote to memory of 2304	1084	ffCBDCBD1035.exe	101
PID 1084 wrote to memory of 2304	1084	ffCBDCBD1035.exe	101
PID 1084 wrote to memory of 5116	1084	ffCBDCBD1035.exe	197
PID 1084 wrote to memory of 5116	1084	ffCBDCBD1035.exe	197
PID 1084 wrote to memory of 5116	1084	ffCBDCBD1035.exe	197
PID 5116 wrote to memory of 940	5116	ffCBDCBD1035.exe	104
PID 5116 wrote to memory of 940	5116	ffCBDCBD1035.exe	104
PID 5116 wrote to memory of 940	5116	ffCBDCBD1035.exe	104
PID 5116 wrote to memory of 1904	5116	ffCBDCBD1035.exe	158
PID 5116 wrote to memory of 1904	5116	ffCBDCBD1035.exe	158
PID 5116 wrote to memory of 1904	5116	ffCBDCBD1035.exe	158
PID 1904 wrote to memory of 4968	1904	ffCBDCBD1035.exe	106
PID 1904 wrote to memory of 4968	1904	ffCBDCBD1035.exe	106
PID 1904 wrote to memory of 4968	1904	ffCBDCBD1035.exe	106
PID 1904 wrote to memory of 1252	1904	ffCBDCBD1035.exe	107
PID 1904 wrote to memory of 1252	1904	ffCBDCBD1035.exe	107
PID 1904 wrote to memory of 1252	1904	ffCBDCBD1035.exe	107
PID 1252 wrote to memory of 4744	1252	ffCBDCBD1035.exe	110
PID 1252 wrote to memory of 4744	1252	ffCBDCBD1035.exe	110
PID 1252 wrote to memory of 4744	1252	ffCBDCBD1035.exe	110
PID 1252 wrote to memory of 3280	1252	ffCBDCBD1035.exe	111
PID 1252 wrote to memory of 3280	1252	ffCBDCBD1035.exe	111
PID 1252 wrote to memory of 3280	1252	ffCBDCBD1035.exe	111
PID 3280 wrote to memory of 2700	3280	ffCBDCBD1035.exe	112
PID 3280 wrote to memory of 2700	3280	ffCBDCBD1035.exe	112
PID 3280 wrote to memory of 2700	3280	ffCBDCBD1035.exe	112
PID 3280 wrote to memory of 404	3280	ffCBDCBD1035.exe	113
PID 3280 wrote to memory of 404	3280	ffCBDCBD1035.exe	113
PID 3280 wrote to memory of 404	3280	ffCBDCBD1035.exe	113
PID 404 wrote to memory of 3300	404	ffCBDCBD1035.exe	115
PID 404 wrote to memory of 3300	404	ffCBDCBD1035.exe	115
PID 404 wrote to memory of 3300	404	ffCBDCBD1035.exe	115
PID 404 wrote to memory of 3172	404	ffCBDCBD1035.exe	116
PID 404 wrote to memory of 3172	404	ffCBDCBD1035.exe	116
PID 404 wrote to memory of 3172	404	ffCBDCBD1035.exe	116
PID 3172 wrote to memory of 4892	3172	ffCBDCBD1035.exe	118
PID 3172 wrote to memory of 4892	3172	ffCBDCBD1035.exe	118
PID 3172 wrote to memory of 4892	3172	ffCBDCBD1035.exe	118
PID 3172 wrote to memory of 4284	3172	ffCBDCBD1035.exe	120

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7512	attrib.exe
8080	attrib.exe
8900	attrib.exe
10788	Process not Found
14424	Process not Found
4988	attrib.exe
7964	attrib.exe
12524	Process not Found
11976	attrib.exe
12592	Process not Found
6396	attrib.exe
9820	attrib.exe
11196	Process not Found
10308	attrib.exe
10864	attrib.exe
6376	attrib.exe
7716	attrib.exe
11412	Process not Found
7560	attrib.exe
8356	attrib.exe
8864	attrib.exe
13476	Process not Found
13504	Process not Found
5480	attrib.exe
5568	attrib.exe
10864	attrib.exe
9348	attrib.exe
11484	attrib.exe
13024	Process not Found
9576	attrib.exe
9048	attrib.exe
11656	Process not Found
11284	Process not Found
11196	Process not Found
12444	Process not Found
12664	Process not Found
6296	attrib.exe
10360	attrib.exe
11984	Process not Found
5344	attrib.exe
9652	attrib.exe
6168	attrib.exe
6188	attrib.exe
7568	attrib.exe
9712	attrib.exe
10204	attrib.exe
9248	attrib.exe
14048	Process not Found
8488	attrib.exe
10056	attrib.exe
8224	attrib.exe
8904	attrib.exe
9204	attrib.exe
13580	Process not Found
12720	Process not Found
5604	attrib.exe
5896	attrib.exe
6152	Process not Found
13040	Process not Found
14052	Process not Found
8040	attrib.exe
11028	attrib.exe
10856	attrib.exe
9444	attrib.exe

C:\Users\Admin\AppData\Local\Temp\00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641687.bat
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\00b91c2dff15909d155af790006eafc1_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:4260
- C:\Windows\SysWOW64\ffCBDCBD1035.exe
  C:\Windows\system32\ffCBDCBD1035.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641718.bat
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
      4⤵
      PID:3404
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
      4⤵
      PID:6000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
      4⤵
      PID:6836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
      4⤵
      PID:8152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
      4⤵
      PID:6836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
      4⤵
      PID:9236
- - C:\Windows\SysWOW64\ffCBDCBD1035.exe
    C:\Windows\system32\ffCBDCBD1035.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641734.bat
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        5⤵
        
        PID:5116
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        5⤵
        
        PID:6056
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        5⤵
        
        PID:6780
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        5⤵
        
        PID:8084
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        5⤵
        
        PID:7612
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        5⤵
        
        PID:10548
  - - C:\Windows\SysWOW64\ffCBDCBD1035.exe
      C:\Windows\system32\ffCBDCBD1035.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641750.bat
        5⤵
        
        PID:556
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:1212
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:1212
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:6096
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:6176
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:7404
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:9152
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        
        PID:8900
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:10204
    - - C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641796.bat
        6⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:9960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        7⤵
        
        PID:10676
      - C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641812.bat
        7⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        8⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641875.bat
        8⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        9⤵
        Views/modifies file attributes
        
        PID:9820
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641890.bat
        9⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        10⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641937.bat
        10⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        11⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240641953.bat
        11⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        12⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642015.bat
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        13⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        12⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642062.bat
        13⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        14⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        14⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        14⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:8040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        14⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        14⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        13⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642125.bat
        14⤵
        
        PID:724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        15⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        15⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        15⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        15⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        15⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        15⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        14⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642156.bat
        15⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        16⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        15⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642281.bat
        16⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        17⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        17⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        17⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        17⤵
        Views/modifies file attributes
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        17⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        17⤵
        Views/modifies file attributes
        
        PID:8864
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        16⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642328.bat
        17⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        18⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        18⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        18⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        18⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        18⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        17⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642375.bat
        18⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        19⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        19⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        19⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        19⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        19⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        18⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642390.bat
        19⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:7604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        20⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        19⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642421.bat
        20⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:8544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        21⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        20⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642453.bat
        21⤵
        
        PID:836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        22⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        21⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642468.bat
        22⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        23⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        23⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        23⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        23⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        23⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        23⤵
        Views/modifies file attributes
        
        PID:10864
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        22⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642515.bat
        23⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        24⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        24⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        24⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        24⤵
        Views/modifies file attributes
        
        PID:8080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        24⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        24⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        23⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642546.bat
        24⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        25⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        25⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        25⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        25⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        25⤵
        Views/modifies file attributes
        
        PID:9712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        25⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        24⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642578.bat
        25⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        26⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        26⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        26⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        26⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        25⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642625.bat
        26⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        Views/modifies file attributes
        
        PID:6396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        27⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        26⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642640.bat
        27⤵
        
        PID:2940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        28⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        28⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        28⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        28⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        28⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        28⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642671.bat
        28⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:10856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:11484
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        28⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642812.bat
        29⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        30⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        29⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642843.bat
        30⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        31⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        30⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642875.bat
        31⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        32⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        32⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        32⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        32⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        31⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240642953.bat
        32⤵
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        Views/modifies file attributes
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        Views/modifies file attributes
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        33⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        32⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643000.bat
        33⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        34⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        34⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        34⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        34⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        34⤵
        Views/modifies file attributes
        
        PID:7568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        34⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        33⤵
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643062.bat
        34⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        35⤵
        Views/modifies file attributes
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        35⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        35⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        35⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        35⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        35⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        34⤵
        Executes dropped EXE
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643093.bat
        35⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        36⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        36⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        36⤵
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        36⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        36⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        36⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        35⤵
        Executes dropped EXE
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643109.bat
        36⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        37⤵
        Views/modifies file attributes
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        37⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        37⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        37⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        37⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        37⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        36⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643156.bat
        37⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        38⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        37⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643203.bat
        38⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        39⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        39⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        39⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        39⤵
        Drops file in System32 directory
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        39⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        39⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        38⤵
        Executes dropped EXE
        
        PID:5648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643250.bat
        39⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        40⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        40⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        40⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        40⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        40⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        40⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        39⤵
        Executes dropped EXE
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643281.bat
        40⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        41⤵
        Views/modifies file attributes
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        41⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        41⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        41⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        41⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        41⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        40⤵
        Executes dropped EXE
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643359.bat
        41⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        42⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        42⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        42⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        42⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        42⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        41⤵
        Executes dropped EXE
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643421.bat
        42⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        43⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        43⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        43⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        43⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        43⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        42⤵
        Executes dropped EXE
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643468.bat
        43⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        44⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        44⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        44⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        44⤵
        Views/modifies file attributes
        
        PID:10056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        44⤵
        Drops file in System32 directory
        
        PID:11072
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        43⤵
        Executes dropped EXE
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643531.bat
        44⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        45⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        45⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        45⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        45⤵
        Views/modifies file attributes
        
        PID:8904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        45⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        44⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643593.bat
        45⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        46⤵
        Views/modifies file attributes
        
        PID:9204
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        45⤵
        Executes dropped EXE
        
        PID:5376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643609.bat
        46⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        47⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        47⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        47⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        47⤵
        Drops file in System32 directory
        
        PID:9916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        47⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        46⤵
        Executes dropped EXE
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643625.bat
        47⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        48⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        48⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        48⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        48⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        48⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        47⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643671.bat
        48⤵
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        49⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        49⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        49⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        49⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643734.bat
        49⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        50⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        50⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        50⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        50⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        50⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        50⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        49⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643781.bat
        50⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        51⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        51⤵
        Views/modifies file attributes
        
        PID:7964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        51⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        51⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        50⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643859.bat
        51⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        52⤵
        Views/modifies file attributes
        
        PID:6188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        52⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        52⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        52⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        52⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        51⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643890.bat
        52⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        53⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        53⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        53⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        53⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        52⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240643937.bat
        53⤵
        
        PID:5268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        54⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        54⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        54⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        54⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        53⤵
        Executes dropped EXE
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644015.bat
        54⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        55⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        55⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        55⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        55⤵
        Views/modifies file attributes
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        55⤵
        Drops file in System32 directory
        
        PID:8532
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        54⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644046.bat
        55⤵
        
        PID:5568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        56⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        55⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644140.bat
        56⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        57⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        57⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        57⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        57⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        56⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644171.bat
        57⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        58⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        58⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        58⤵
        Views/modifies file attributes
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        58⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        58⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        57⤵
        Executes dropped EXE
        
        PID:6152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644234.bat
        58⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        59⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        59⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        59⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        59⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        58⤵
        Executes dropped EXE
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644312.bat
        59⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        60⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        60⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        60⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        60⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        60⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644328.bat
        60⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        61⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        61⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        61⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:10308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:11976
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        60⤵
        Executes dropped EXE
        
        PID:6432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644421.bat
        61⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        62⤵
        Views/modifies file attributes
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        62⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        62⤵
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        62⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        62⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        61⤵
        Executes dropped EXE
        
        PID:6560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644437.bat
        62⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        63⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        63⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        63⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        63⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        63⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        63⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644484.bat
        63⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        64⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        64⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        64⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        64⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        64⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        63⤵
        Executes dropped EXE
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644578.bat
        64⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        65⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        65⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        65⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        65⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        65⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        65⤵
        Drops file in System32 directory
        
        PID:10764
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        64⤵
        Executes dropped EXE
        
        PID:6892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644640.bat
        65⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        66⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        66⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        66⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        66⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        66⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        65⤵
        Executes dropped EXE
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644718.bat
        66⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        67⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        67⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        67⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        67⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        67⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        67⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        66⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644765.bat
        67⤵
        
        PID:6080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        68⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        68⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        68⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        68⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        67⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644859.bat
        68⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        69⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        69⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        69⤵
        Views/modifies file attributes
        
        PID:8356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        69⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        68⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240644984.bat
        69⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        70⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        70⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        70⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        70⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        69⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645000.bat
        70⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        71⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        71⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        71⤵
        Views/modifies file attributes
        
        PID:10360
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        70⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645156.bat
        71⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        72⤵
        Views/modifies file attributes
        
        PID:7716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        72⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        72⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        72⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        71⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645187.bat
        72⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        73⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        73⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        73⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        73⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        73⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        72⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645218.bat
        73⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        74⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        74⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        74⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        74⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        73⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645281.bat
        74⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        75⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        75⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        75⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        74⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645328.bat
        75⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        76⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        76⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        76⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        76⤵
        Drops file in System32 directory
        
        PID:9988
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        75⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645406.bat
        76⤵
        
        PID:6280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        77⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        77⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        77⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        77⤵
        Drops file in System32 directory
        
        PID:9648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        77⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        76⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645515.bat
        77⤵
        
        PID:6228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        78⤵
        Drops file in System32 directory
        
        PID:7832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        78⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        78⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        77⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645546.bat
        78⤵
        
        PID:6500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        79⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        79⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        79⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        78⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645703.bat
        79⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        80⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        80⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        80⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        79⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645718.bat
        80⤵
        
        PID:7028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        81⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        81⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        81⤵
        Drops file in System32 directory
        
        PID:9884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        81⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        80⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645843.bat
        81⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        82⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        82⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        82⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        82⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        81⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645906.bat
        82⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        83⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        83⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        83⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        82⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240645953.bat
        83⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        84⤵
        Views/modifies file attributes
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        84⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        84⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        84⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        83⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646031.bat
        84⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        85⤵
        Views/modifies file attributes
        
        PID:8224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        85⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        85⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        85⤵
        Views/modifies file attributes
        
        PID:9576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        85⤵
        Drops file in System32 directory
        
        PID:11032
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        84⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646093.bat
        85⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        86⤵
        Drops file in System32 directory
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        86⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        86⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        86⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        85⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646156.bat
        86⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        87⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        87⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        87⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        86⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646218.bat
        87⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        88⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        88⤵
        Drops file in System32 directory
        
        PID:8472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        88⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        88⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        88⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        87⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646265.bat
        88⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        89⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        89⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        89⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        88⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646421.bat
        89⤵
        
        PID:7208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        90⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        90⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        90⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        89⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646468.bat
        90⤵
        
        PID:6404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        91⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        91⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        91⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        90⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646578.bat
        91⤵
        
        PID:7616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        92⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        92⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        92⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        91⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646640.bat
        92⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        93⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        93⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        93⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        92⤵
        Drops file in System32 directory
        
        PID:7672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240646968.bat
        93⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        94⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        94⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        94⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        93⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647015.bat
        94⤵
        
        PID:7872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        95⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        95⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        95⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        94⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647140.bat
        95⤵
        
        PID:7600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        96⤵
        Views/modifies file attributes
        
        PID:8900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        96⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        95⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647187.bat
        96⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        97⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        97⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        97⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        96⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647265.bat
        97⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        98⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        98⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        98⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        97⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647296.bat
        98⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        99⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        99⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        99⤵
        Views/modifies file attributes
        
        PID:10864
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        98⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647343.bat
        99⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        100⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        100⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        100⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        99⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647468.bat
        100⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        101⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        101⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        101⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        100⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647593.bat
        101⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        102⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        102⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        101⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647625.bat
        102⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        103⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        103⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        102⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647656.bat
        103⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        104⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        104⤵
        Views/modifies file attributes
        
        PID:9444
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        103⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647703.bat
        104⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        105⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        105⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        104⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647750.bat
        105⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        106⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        106⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        106⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        105⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647828.bat
        106⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        107⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        107⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        107⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        106⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647875.bat
        107⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        108⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        108⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        107⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647890.bat
        108⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        109⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        109⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        109⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        108⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240647968.bat
        109⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        110⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        110⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        110⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        109⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648140.bat
        110⤵
        
        PID:6284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        111⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        111⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        110⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648218.bat
        111⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        112⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        112⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        111⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648234.bat
        112⤵
        
        PID:7712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        113⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        113⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        112⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648312.bat
        113⤵
        
        PID:8088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        114⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        114⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        113⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648375.bat
        114⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        115⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        115⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        114⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648421.bat
        115⤵
        
        PID:9196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        116⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        116⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        115⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648515.bat
        116⤵
        
        PID:8440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        117⤵
        Drops file in System32 directory
        
        PID:9916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        117⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        116⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648562.bat
        117⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        118⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        118⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        117⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648687.bat
        118⤵
        
        PID:8832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        119⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        119⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        118⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648718.bat
        119⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        120⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        120⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:11028
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        119⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648750.bat
        120⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        121⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        121⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        120⤵
        Drops file in System32 directory
        
        PID:9228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648781.bat
        121⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        122⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        122⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        121⤵
        Drops file in System32 directory
        
        PID:9304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648859.bat
        122⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        123⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        123⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        122⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240648984.bat
        123⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        124⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        124⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        123⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649109.bat
        124⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        125⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:9652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        125⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        124⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649203.bat
        125⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        126⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        126⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        125⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649250.bat
        126⤵
        
        PID:10172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        127⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        126⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649359.bat
        127⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        128⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        127⤵
        Drops file in System32 directory
        
        PID:7276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649390.bat
        128⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        129⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        129⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        129⤵
        Drops file in System32 directory
        
        PID:11024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        129⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        128⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649421.bat
        129⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        130⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        129⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649484.bat
        130⤵
        
        PID:7832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        131⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        130⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649515.bat
        131⤵
        
        PID:6476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        132⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        131⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649562.bat
        132⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        133⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        133⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        132⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649671.bat
        133⤵
        
        PID:9104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        134⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        133⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649765.bat
        134⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        135⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        134⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649812.bat
        135⤵
        
        PID:8784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        136⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        136⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        135⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649890.bat
        136⤵
        
        PID:9064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        137⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        137⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        136⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240649921.bat
        137⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        138⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        137⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650046.bat
        138⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        139⤵
        Views/modifies file attributes
        
        PID:9348
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        138⤵
        Drops file in System32 directory
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650156.bat
        139⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        140⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        139⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650296.bat
        140⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        141⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        140⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650328.bat
        141⤵
        
        PID:8120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        142⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        141⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650375.bat
        142⤵
        
        PID:7652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        143⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        142⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650406.bat
        143⤵
        
        PID:9800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        144⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        143⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650421.bat
        144⤵
        
        PID:9836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        145⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        144⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650515.bat
        145⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        146⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        145⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650625.bat
        146⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        147⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        146⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650671.bat
        147⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        148⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        147⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650687.bat
        148⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        149⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        148⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650734.bat
        149⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        150⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        149⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650765.bat
        150⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        151⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        150⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650812.bat
        151⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        152⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        151⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650859.bat
        152⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        153⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        152⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650921.bat
        153⤵
        
        PID:7524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        154⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        154⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        153⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240650968.bat
        154⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        155⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        154⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651015.bat
        155⤵
        
        PID:10576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        156⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        156⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        155⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651046.bat
        156⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        157⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        156⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651062.bat
        157⤵
        
        PID:9652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        158⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        157⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651109.bat
        158⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        158⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651156.bat
        159⤵
        
        PID:8772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        159⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651234.bat
        160⤵
        
        PID:10916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        160⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651296.bat
        161⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        161⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651375.bat
        162⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        162⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651421.bat
        163⤵
        
        PID:10904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        163⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651484.bat
        164⤵
        
        PID:10544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        164⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651515.bat
        165⤵
        
        PID:10712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        165⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651578.bat
        166⤵
        
        PID:10656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        166⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651609.bat
        167⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        167⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651671.bat
        168⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        168⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651703.bat
        169⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        169⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651796.bat
        170⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        170⤵
        Drops file in System32 directory
        
        PID:10908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651828.bat
        171⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        171⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651875.bat
        172⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        172⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651906.bat
        173⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        173⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651937.bat
        174⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffCBDCBD1035.exe" -r -a -s -h
        175⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        174⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240651968.bat
        175⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        175⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652031.bat
        176⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        176⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652093.bat
        177⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        177⤵
        
        PID:11960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652125.bat
        178⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        178⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652156.bat
        179⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        179⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652218.bat
        180⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        180⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652265.bat
        181⤵
        
        PID:8672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        181⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652328.bat
        182⤵
        
        PID:10608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        182⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652453.bat
        183⤵
        
        PID:10368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        183⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652484.bat
        184⤵
        
        PID:10856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        184⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240652625.bat
        185⤵
        
        PID:11460
        
        C:\Windows\SysWOW64\ffCBDCBD1035.exe
        
        C:\Windows\system32\ffCBDCBD1035.exe
        185⤵
        
        PID:9380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3748,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:8
1⤵
PID:8148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ffCBDCBD1035.exe

Filesize
12KB

MD5
00b91c2dff15909d155af790006eafc1

SHA1
3dc0b66555d2bee7140f4a5e881c9b8d7b4587f3

SHA256
b1dcbb4cf406f2eccb068d66bbcde872eed6fa9a01efa7e4482439765c642336

SHA512
ca5d20481f499a1b40da7f5c63339d630cfe7113b406002c873c99dbfb0f49760711241b71e70a7bde848e9a0a708091b9189bcd38bc87294b59fa7c92a51d4f

Download Submit
C:\d8008d8e164c240641750.bat

Filesize
188B

MD5
c478929910b97fc1ac3a58fba68390bb

SHA1
9eb591f7d96950165de198c7d9634a14c5803367

SHA256
66302aa76d3baa5b921779f7dc13c6c52efbab246a38137fe6c09172cb1a8c69

SHA512
6a2b8a6fba4e5c89d2eb3c94c850b4b4d584df35fa06174376555d7cf32b5d7abb83425eea407933ecd3ea20d5d610233933662b604f45827ddc9e4e930f8c09

Download Submit
\??\c:\d8008d8e164c240641687.bat

Filesize
332B

MD5
af77102a2cb9f8655c8a5b85f2cc8e2e

SHA1
8731048e6a3418d1c0a19bc8ed13e466fc469ef2

SHA256
f466c76f903efb3f428e52b1dd83b0234617e9d6be671a9bd49ed19fae4eb5da

SHA512
1899cd7f6462fa2c1c569dec57893826f49957edb08359ad77ff6da75278d92e1cfb847128b2f3b64f4ac933ec816e3465e745c104152416ecbadc181a92f015

Download Submit
memory/13652-546-0x0000000076260000-0x0000000076475000-memory.dmp

Filesize
2.1MB

Download