eeec18fb099dd4d469bd2bf0f27e49248b47dfb0917ae5a7847574148af949ec

Analysis

max time kernel
79s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe
Size

6KB
MD5

0167f07d17a27ca5b585b4ea8b31c48c
SHA1

72dfc10b896e88199f980fa5bb72021f7766f866
SHA256

eeec18fb099dd4d469bd2bf0f27e49248b47dfb0917ae5a7847574148af949ec
SHA512

96e88eae03ad5b1f4dafc783ff34fa6f069f3be03f69511d1e05964c24009d04f02a5926e35865991b3bbb713e321405c3179dc99e090900495d17ca4d18b8fa
SSDEEP

192:4BkKyXPayzbzbzbzbzbzbzbzHuzX39s97VzYRq:4yKyft///////HIXtuVU8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2816	ayEZZEZZ1040.exe
3368	ayEZZEZZ1040.exe
5076	ayEZZEZZ1040.exe
628	ayEZZEZZ1040.exe
2368	ayEZZEZZ1040.exe
1184	ayEZZEZZ1040.exe
4452	ayEZZEZZ1040.exe
4436	ayEZZEZZ1040.exe
3844	ayEZZEZZ1040.exe
2588	ayEZZEZZ1040.exe
5060	ayEZZEZZ1040.exe
896	ayEZZEZZ1040.exe
4976	ayEZZEZZ1040.exe
4480	ayEZZEZZ1040.exe
2480	ayEZZEZZ1040.exe
1332	ayEZZEZZ1040.exe
3988	ayEZZEZZ1040.exe
4268	ayEZZEZZ1040.exe
3036	ayEZZEZZ1040.exe
4116	ayEZZEZZ1040.exe
2040	ayEZZEZZ1040.exe
2208	ayEZZEZZ1040.exe
836	ayEZZEZZ1040.exe
544	ayEZZEZZ1040.exe
1720	ayEZZEZZ1040.exe
2104	ayEZZEZZ1040.exe
3132	ayEZZEZZ1040.exe
4448	ayEZZEZZ1040.exe
3972	ayEZZEZZ1040.exe
3100	ayEZZEZZ1040.exe
972	ayEZZEZZ1040.exe
4156	ayEZZEZZ1040.exe
4008	ayEZZEZZ1040.exe
2656	ayEZZEZZ1040.exe
4616	ayEZZEZZ1040.exe
3876	ayEZZEZZ1040.exe
4644	ayEZZEZZ1040.exe
2636	ayEZZEZZ1040.exe
3936	ayEZZEZZ1040.exe
1348	ayEZZEZZ1040.exe
5072	ayEZZEZZ1040.exe
1376	ayEZZEZZ1040.exe
4452	ayEZZEZZ1040.exe
4008	ayEZZEZZ1040.exe
652	ayEZZEZZ1040.exe
5128	ayEZZEZZ1040.exe
5184	ayEZZEZZ1040.exe
5268	ayEZZEZZ1040.exe
5356	ayEZZEZZ1040.exe
5412	ayEZZEZZ1040.exe
5540	ayEZZEZZ1040.exe
5584	ayEZZEZZ1040.exe
5652	ayEZZEZZ1040.exe
5760	ayEZZEZZ1040.exe
5840	ayEZZEZZ1040.exe
5968	ayEZZEZZ1040.exe
6028	ayEZZEZZ1040.exe
6088	ayEZZEZZ1040.exe
676	ayEZZEZZ1040.exe
5568	ayEZZEZZ1040.exe
4356	ayEZZEZZ1040.exe
5760	ayEZZEZZ1040.exe
5864	ayEZZEZZ1040.exe
4980	ayEZZEZZ1040.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File created	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	ayEZZEZZ1040.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayEZZEZZ1040.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1572	1780	0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe	82
PID 1780 wrote to memory of 1572	1780	0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe	82
PID 1780 wrote to memory of 1572	1780	0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe	82
PID 1780 wrote to memory of 2816	1780	0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe	83
PID 1780 wrote to memory of 2816	1780	0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe	83
PID 1780 wrote to memory of 2816	1780	0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe	83
PID 2816 wrote to memory of 1072	2816	ayEZZEZZ1040.exe	84
PID 2816 wrote to memory of 1072	2816	ayEZZEZZ1040.exe	84
PID 2816 wrote to memory of 1072	2816	ayEZZEZZ1040.exe	84
PID 2816 wrote to memory of 3368	2816	ayEZZEZZ1040.exe	85
PID 2816 wrote to memory of 3368	2816	ayEZZEZZ1040.exe	85
PID 2816 wrote to memory of 3368	2816	ayEZZEZZ1040.exe	85
PID 3368 wrote to memory of 3160	3368	ayEZZEZZ1040.exe	87
PID 3368 wrote to memory of 3160	3368	ayEZZEZZ1040.exe	87
PID 3368 wrote to memory of 3160	3368	ayEZZEZZ1040.exe	87
PID 3368 wrote to memory of 5076	3368	ayEZZEZZ1040.exe	88
PID 3368 wrote to memory of 5076	3368	ayEZZEZZ1040.exe	88
PID 3368 wrote to memory of 5076	3368	ayEZZEZZ1040.exe	88
PID 5076 wrote to memory of 3624	5076	ayEZZEZZ1040.exe	90
PID 5076 wrote to memory of 3624	5076	ayEZZEZZ1040.exe	90
PID 5076 wrote to memory of 3624	5076	ayEZZEZZ1040.exe	90
PID 5076 wrote to memory of 628	5076	ayEZZEZZ1040.exe	91
PID 5076 wrote to memory of 628	5076	ayEZZEZZ1040.exe	91
PID 5076 wrote to memory of 628	5076	ayEZZEZZ1040.exe	91
PID 628 wrote to memory of 3908	628	ayEZZEZZ1040.exe	93
PID 628 wrote to memory of 3908	628	ayEZZEZZ1040.exe	93
PID 628 wrote to memory of 3908	628	ayEZZEZZ1040.exe	93
PID 628 wrote to memory of 2368	628	ayEZZEZZ1040.exe	214
PID 628 wrote to memory of 2368	628	ayEZZEZZ1040.exe	214
PID 628 wrote to memory of 2368	628	ayEZZEZZ1040.exe	214
PID 2368 wrote to memory of 4544	2368	ayEZZEZZ1040.exe	97
PID 2368 wrote to memory of 4544	2368	ayEZZEZZ1040.exe	97
PID 2368 wrote to memory of 4544	2368	ayEZZEZZ1040.exe	97
PID 2368 wrote to memory of 1184	2368	ayEZZEZZ1040.exe	98
PID 2368 wrote to memory of 1184	2368	ayEZZEZZ1040.exe	98
PID 2368 wrote to memory of 1184	2368	ayEZZEZZ1040.exe	98
PID 1184 wrote to memory of 1364	1184	ayEZZEZZ1040.exe	100
PID 1184 wrote to memory of 1364	1184	ayEZZEZZ1040.exe	100
PID 1184 wrote to memory of 1364	1184	ayEZZEZZ1040.exe	100
PID 1184 wrote to memory of 4452	1184	ayEZZEZZ1040.exe	233
PID 1184 wrote to memory of 4452	1184	ayEZZEZZ1040.exe	233
PID 1184 wrote to memory of 4452	1184	ayEZZEZZ1040.exe	233
PID 4452 wrote to memory of 620	4452	ayEZZEZZ1040.exe	102
PID 4452 wrote to memory of 620	4452	ayEZZEZZ1040.exe	102
PID 4452 wrote to memory of 620	4452	ayEZZEZZ1040.exe	102
PID 4452 wrote to memory of 4436	4452	ayEZZEZZ1040.exe	103
PID 4452 wrote to memory of 4436	4452	ayEZZEZZ1040.exe	103
PID 4452 wrote to memory of 4436	4452	ayEZZEZZ1040.exe	103
PID 4436 wrote to memory of 3216	4436	ayEZZEZZ1040.exe	105
PID 4436 wrote to memory of 3216	4436	ayEZZEZZ1040.exe	105
PID 4436 wrote to memory of 3216	4436	ayEZZEZZ1040.exe	105
PID 4436 wrote to memory of 3844	4436	ayEZZEZZ1040.exe	106
PID 4436 wrote to memory of 3844	4436	ayEZZEZZ1040.exe	106
PID 4436 wrote to memory of 3844	4436	ayEZZEZZ1040.exe	106
PID 3844 wrote to memory of 2488	3844	ayEZZEZZ1040.exe	107
PID 3844 wrote to memory of 2488	3844	ayEZZEZZ1040.exe	107
PID 3844 wrote to memory of 2488	3844	ayEZZEZZ1040.exe	107
PID 3844 wrote to memory of 2588	3844	ayEZZEZZ1040.exe	108
PID 3844 wrote to memory of 2588	3844	ayEZZEZZ1040.exe	108
PID 3844 wrote to memory of 2588	3844	ayEZZEZZ1040.exe	108
PID 1572 wrote to memory of 2540	1572	cmd.exe	110
PID 1572 wrote to memory of 2540	1572	cmd.exe	110
PID 1572 wrote to memory of 2540	1572	cmd.exe	110
PID 2588 wrote to memory of 4888	2588	ayEZZEZZ1040.exe	112

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6648	attrib.exe
6480	attrib.exe
8012	attrib.exe
13212	Process not Found
13148	Process not Found
13772	Process not Found
8564	attrib.exe
11512	attrib.exe
12984	Process not Found
8752	attrib.exe
8068	attrib.exe
9892	attrib.exe
9388	attrib.exe
11960	Process not Found
11156	Process not Found
6168	attrib.exe
6740	attrib.exe
14168	Process not Found
12060	Process not Found
7024	attrib.exe
7928	attrib.exe
6832	attrib.exe
10236	attrib.exe
10180	attrib.exe
12816	Process not Found
12560	Process not Found
8568	attrib.exe
10736	attrib.exe
13696	Process not Found
13680	Process not Found
12680	Process not Found
5996	attrib.exe
9300	attrib.exe
11136	attrib.exe
11280	Process not Found
13472	Process not Found
9008	attrib.exe
7200	attrib.exe
12204	Process not Found
12272	Process not Found
4488	attrib.exe
8488	attrib.exe
9240	attrib.exe
12712	Process not Found
12324	Process not Found
7836	attrib.exe
9212	attrib.exe
12844	Process not Found
14052	Process not Found
6936	attrib.exe
10352	attrib.exe
13148	Process not Found
6072	attrib.exe
6272	attrib.exe
11752	Process not Found
10436	Process not Found
10456	Process not Found
8584	attrib.exe
10436	attrib.exe
12324	Process not Found
6972	attrib.exe
6792	attrib.exe
7324	attrib.exe
5440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596578.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\0167f07d17a27ca5b585b4ea8b31c48c_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2540
- C:\Windows\SysWOW64\ayEZZEZZ1040.exe
  C:\Windows\system32\ayEZZEZZ1040.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596609.bat
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
      4⤵
      PID:5976
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
      4⤵
      PID:5684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
      4⤵
      PID:8932
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
      4⤵
      PID:10652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
      4⤵
      PID:11956
- - C:\Windows\SysWOW64\ayEZZEZZ1040.exe
    C:\Windows\system32\ayEZZEZZ1040.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596625.bat
      4⤵
      PID:3160
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        
        PID:652
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:5684
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        
        PID:6192
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        
        PID:8248
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:8716
  - - C:\Windows\SysWOW64\ayEZZEZZ1040.exe
      C:\Windows\system32\ayEZZEZZ1040.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596640.bat
        5⤵
        
        PID:3624
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:5364
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:6272
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:7548
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:8852
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:9632
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:9168
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:9108
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        6⤵
        
        PID:9676
    - - C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596656.bat
        6⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        7⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        7⤵
        Views/modifies file attributes
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        7⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        7⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        7⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        7⤵
        
        PID:12104
      - C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596687.bat
        7⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        8⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596703.bat
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        9⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        9⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        9⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        9⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        9⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596734.bat
        9⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        10⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        10⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        10⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        10⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        10⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596750.bat
        10⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        11⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        11⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        11⤵
        Views/modifies file attributes
        
        PID:6972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        11⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        11⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        11⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596781.bat
        11⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        12⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        12⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        12⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        12⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        12⤵
        Views/modifies file attributes
        
        PID:9240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        12⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596812.bat
        12⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        13⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        13⤵
        Views/modifies file attributes
        
        PID:6072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        13⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        13⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        13⤵
        Views/modifies file attributes
        
        PID:10436
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        12⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596859.bat
        13⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        14⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        14⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        14⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        14⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        14⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        14⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        13⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596921.bat
        14⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        Views/modifies file attributes
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        15⤵
        
        PID:12276
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596937.bat
        15⤵
        
        PID:336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        16⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        16⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        16⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        16⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        16⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        16⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        15⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240596968.bat
        16⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        17⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        17⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        17⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        17⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        17⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        17⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        16⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597000.bat
        17⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        18⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:6648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        18⤵
        Drops file in System32 directory
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        18⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        18⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        18⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        17⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597062.bat
        18⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        19⤵
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        19⤵
        Views/modifies file attributes
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        19⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        19⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        19⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        19⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        18⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597125.bat
        19⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        20⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        20⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        20⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        20⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        20⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        20⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        19⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597171.bat
        20⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        21⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        21⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        21⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        21⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        21⤵
        Views/modifies file attributes
        
        PID:9388
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        20⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597218.bat
        21⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        22⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        22⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        22⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        22⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        22⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        22⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        21⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597250.bat
        22⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        23⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        23⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        23⤵
        Views/modifies file attributes
        
        PID:8752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        23⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        23⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        22⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597265.bat
        23⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        24⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        24⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        24⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        24⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        24⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        24⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        23⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597328.bat
        24⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        25⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        25⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        25⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        25⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        25⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        25⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        24⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597343.bat
        25⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        26⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        26⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        26⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:8068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        26⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        26⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        25⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597375.bat
        26⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        27⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        26⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597390.bat
        27⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        28⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        28⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        28⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        28⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        28⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        28⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        27⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597437.bat
        28⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        29⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        29⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        29⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:8564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        29⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        28⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597562.bat
        29⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        30⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        29⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597593.bat
        30⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        31⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        31⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        31⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        31⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        31⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        31⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        30⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597625.bat
        31⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        32⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        32⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        32⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        32⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        32⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        31⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597656.bat
        32⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        33⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        33⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        33⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        33⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        33⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        33⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        32⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597687.bat
        33⤵
        
        PID:1732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        34⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        34⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        34⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        34⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        34⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        33⤵
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597703.bat
        34⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        35⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        35⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        35⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        35⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        35⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        35⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        34⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597781.bat
        35⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        36⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        36⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        36⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        36⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        36⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        36⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        35⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597812.bat
        36⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        37⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        37⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        37⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        37⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        37⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        36⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597859.bat
        37⤵
        
        PID:836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        38⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        38⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        38⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        38⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        38⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        37⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597921.bat
        38⤵
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        39⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        38⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240597968.bat
        39⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        40⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        40⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        40⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        40⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        40⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        39⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598000.bat
        40⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        41⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        41⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        41⤵
        Views/modifies file attributes
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        41⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        41⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        40⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598046.bat
        41⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        42⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        42⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        42⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        42⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        42⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        41⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598078.bat
        42⤵
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        43⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        43⤵
        Views/modifies file attributes
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        43⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        43⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        43⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        42⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598125.bat
        43⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        44⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        44⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        44⤵
        Drops file in System32 directory
        
        PID:8884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        44⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        44⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        43⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598156.bat
        44⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        45⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        45⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        45⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        45⤵
        Views/modifies file attributes
        
        PID:10236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        45⤵
        
        PID:12056
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        44⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598203.bat
        45⤵
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        46⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        46⤵
        Views/modifies file attributes
        
        PID:6936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        46⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        46⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        46⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        45⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598234.bat
        46⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        47⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        47⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        47⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        47⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        46⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598281.bat
        47⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        48⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        48⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        48⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        48⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        47⤵
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598312.bat
        48⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        49⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        49⤵
        Drops file in System32 directory
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        49⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        49⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        48⤵
        Executes dropped EXE
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598343.bat
        49⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        Views/modifies file attributes
        
        PID:8568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        50⤵
        Views/modifies file attributes
        
        PID:11512
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        49⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598390.bat
        50⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        51⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        51⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        51⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        51⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        50⤵
        Executes dropped EXE
        
        PID:5356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598421.bat
        51⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        52⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        52⤵
        Drops file in System32 directory
        
        PID:7172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        52⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        52⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        52⤵
        Views/modifies file attributes
        
        PID:10180
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        51⤵
        Executes dropped EXE
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598500.bat
        52⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        53⤵
        Views/modifies file attributes
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        53⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        53⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        53⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        52⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598515.bat
        53⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        54⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        54⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        54⤵
        Drops file in System32 directory
        
        PID:8896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        54⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        54⤵
        Views/modifies file attributes
        
        PID:9212
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        53⤵
        Executes dropped EXE
        
        PID:5584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598562.bat
        54⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        55⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        55⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        55⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        55⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        54⤵
        Executes dropped EXE
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598609.bat
        55⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        56⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        56⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        56⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        56⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        55⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598656.bat
        56⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        57⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        57⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        57⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        57⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        56⤵
        Executes dropped EXE
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598718.bat
        57⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        58⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        58⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        58⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        58⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        57⤵
        Executes dropped EXE
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598750.bat
        58⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        59⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        59⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        59⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        59⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        59⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        58⤵
        Executes dropped EXE
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598781.bat
        59⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        60⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        60⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        60⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        60⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        60⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        59⤵
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598828.bat
        60⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        61⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        61⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        61⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        61⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        60⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598921.bat
        61⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        62⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        62⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        62⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        62⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        61⤵
        Executes dropped EXE
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598953.bat
        62⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        63⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        63⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        63⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        63⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        62⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240598984.bat
        63⤵
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        64⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        64⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        64⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        64⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        63⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599015.bat
        64⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        65⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        65⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        65⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        65⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        64⤵
        Executes dropped EXE
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599062.bat
        65⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        66⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        66⤵
        Views/modifies file attributes
        
        PID:7928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        66⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        66⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        65⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599109.bat
        66⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        67⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        67⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        67⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        67⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        66⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599187.bat
        67⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        68⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        68⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        68⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        68⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        67⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599203.bat
        68⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        69⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        69⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        69⤵
        Drops file in System32 directory
        
        PID:9272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        69⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        68⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599234.bat
        69⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        70⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        70⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        70⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        70⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        69⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599265.bat
        70⤵
        
        PID:5776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        71⤵
        Views/modifies file attributes
        
        PID:5996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        71⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        71⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        71⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        70⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599281.bat
        71⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        72⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        72⤵
        Views/modifies file attributes
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        72⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        72⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        71⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599328.bat
        72⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        73⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        73⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        73⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        73⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        72⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599406.bat
        73⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        74⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        74⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        74⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        74⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        73⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599453.bat
        74⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        75⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        75⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        75⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        75⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        74⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599515.bat
        75⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        76⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        76⤵
        Drops file in System32 directory
        
        PID:9644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        76⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        76⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        76⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        75⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599609.bat
        76⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        77⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        77⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        77⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        77⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        77⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        77⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        76⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599656.bat
        77⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        78⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        78⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        78⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        78⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        78⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        77⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599687.bat
        78⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        79⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        79⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        79⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        78⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599750.bat
        79⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        80⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        80⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        80⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        79⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599781.bat
        80⤵
        
        PID:5808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        81⤵
        Views/modifies file attributes
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        81⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        81⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        80⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599828.bat
        81⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        82⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        82⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        82⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        81⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599890.bat
        82⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        83⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        83⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        83⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        82⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599937.bat
        83⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        84⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        84⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        84⤵
        Views/modifies file attributes
        
        PID:10736
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        83⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240599984.bat
        84⤵
        
        PID:4344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        85⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        85⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        85⤵
        Drops file in System32 directory
        
        PID:8412
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        84⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600015.bat
        85⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        86⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        86⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        86⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        85⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600062.bat
        86⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        87⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        87⤵
        Drops file in System32 directory
        
        PID:9928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        87⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        87⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        86⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600078.bat
        87⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        88⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        88⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        88⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        87⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600140.bat
        88⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        89⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        89⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        89⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        88⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600171.bat
        89⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        90⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        90⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        90⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        89⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600234.bat
        90⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        91⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        91⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        91⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        91⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        91⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        90⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600296.bat
        91⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        92⤵
        Views/modifies file attributes
        
        PID:8584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        92⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        92⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        91⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600375.bat
        92⤵
        
        PID:6728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        93⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        93⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        93⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        93⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        92⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600406.bat
        93⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        94⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        94⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        94⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        93⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600437.bat
        94⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        95⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        95⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        95⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        94⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600500.bat
        95⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        96⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        96⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        96⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        96⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        95⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600546.bat
        96⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        97⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        97⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        97⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        96⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600578.bat
        97⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        98⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        98⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        98⤵
        Views/modifies file attributes
        
        PID:11136
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        97⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600625.bat
        98⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        99⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        99⤵
        Views/modifies file attributes
        
        PID:7200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        99⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        98⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600656.bat
        99⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        100⤵
        Drops file in System32 directory
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        100⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        99⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600671.bat
        100⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        101⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        101⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        101⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        101⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        101⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        100⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600703.bat
        101⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        102⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        102⤵
        Drops file in System32 directory
        
        PID:8148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        102⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        101⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600765.bat
        102⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        103⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        103⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        103⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        102⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600859.bat
        103⤵
        
        PID:8052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        104⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        104⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        104⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        103⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600890.bat
        104⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        105⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        105⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        104⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600937.bat
        105⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        106⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        106⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        106⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        105⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240600953.bat
        106⤵
        
        PID:6284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        107⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        107⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        107⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        106⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601000.bat
        107⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        108⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        108⤵
        Drops file in System32 directory
        
        PID:10336
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        107⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601031.bat
        108⤵
        
        PID:6264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        109⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        109⤵
        Views/modifies file attributes
        
        PID:9892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        109⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        108⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601109.bat
        109⤵
        
        PID:7908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        110⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        110⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        110⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        110⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        109⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601171.bat
        110⤵
        
        PID:8060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        111⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        111⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6740
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        110⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601250.bat
        111⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        112⤵
        Views/modifies file attributes
        
        PID:6832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        112⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        111⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601328.bat
        112⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        113⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        113⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        113⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        113⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        112⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601375.bat
        113⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        114⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        114⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        114⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        113⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601437.bat
        114⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        115⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        115⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        114⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601500.bat
        115⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        116⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        116⤵
        Views/modifies file attributes
        
        PID:8012
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        115⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601546.bat
        116⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        117⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        117⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        116⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601609.bat
        117⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        118⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        118⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        118⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        118⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        117⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601843.bat
        118⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        119⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        119⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        118⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240601953.bat
        119⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        120⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        120⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        119⤵
        Drops file in System32 directory
        
        PID:8944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602000.bat
        120⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        121⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        121⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        120⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602031.bat
        121⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        122⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        122⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        122⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        122⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        122⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        121⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602093.bat
        122⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        123⤵
        Views/modifies file attributes
        
        PID:9300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        123⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        122⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602109.bat
        123⤵
        
        PID:6892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        124⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        124⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        123⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602171.bat
        124⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        125⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        125⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        124⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602187.bat
        125⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        126⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        126⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        125⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602265.bat
        126⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        127⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        127⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        126⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602312.bat
        127⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        128⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        128⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        127⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602359.bat
        128⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        129⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        129⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        128⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602406.bat
        129⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        130⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        130⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        129⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602453.bat
        130⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        131⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        131⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        130⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602500.bat
        131⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        132⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        132⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        131⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602562.bat
        132⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        133⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        133⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        132⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602656.bat
        133⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        134⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        134⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        133⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602734.bat
        134⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        135⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        135⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        134⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602765.bat
        135⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        136⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        136⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        135⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602812.bat
        136⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        137⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        137⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        136⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602890.bat
        137⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        138⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        138⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        137⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602937.bat
        138⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        139⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        139⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        138⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240602968.bat
        139⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        140⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        140⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        139⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603046.bat
        140⤵
        
        PID:9072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        141⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        140⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603109.bat
        141⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        142⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        141⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603156.bat
        142⤵
        
        PID:6216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        143⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        143⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        142⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603203.bat
        143⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        144⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        143⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603250.bat
        144⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        145⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        145⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        144⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603265.bat
        145⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        146⤵
        Drops file in System32 directory
        
        PID:9776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        146⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        145⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603359.bat
        146⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        147⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        146⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603437.bat
        147⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        148⤵
        Drops file in System32 directory
        
        PID:10864
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        147⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603500.bat
        148⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        149⤵
        Drops file in System32 directory
        
        PID:9432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        149⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        148⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603578.bat
        149⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        150⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        150⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        150⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        149⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603625.bat
        150⤵
        
        PID:10060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        151⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        150⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603703.bat
        151⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        152⤵
        Drops file in System32 directory
        
        PID:8544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        152⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        151⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603734.bat
        152⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        153⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        152⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603781.bat
        153⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        154⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        153⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603843.bat
        154⤵
        
        PID:9184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        155⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        154⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240603937.bat
        155⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        156⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        155⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604015.bat
        156⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        157⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        157⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        156⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604046.bat
        157⤵
        
        PID:9828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        158⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        157⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604062.bat
        158⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        159⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        158⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604093.bat
        159⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        160⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        159⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604171.bat
        160⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        161⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        161⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        160⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604187.bat
        161⤵
        
        PID:9124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        162⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        161⤵
        Drops file in System32 directory
        
        PID:9600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604234.bat
        162⤵
        
        PID:8556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        163⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        162⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604328.bat
        163⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        164⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        163⤵
        Drops file in System32 directory
        
        PID:10288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604375.bat
        164⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        165⤵
        Views/modifies file attributes
        
        PID:10352
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        164⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604421.bat
        165⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        166⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        165⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604453.bat
        166⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        167⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        167⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        166⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604500.bat
        167⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        168⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        167⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604531.bat
        168⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        169⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        168⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604640.bat
        169⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        170⤵
        Drops file in System32 directory
        
        PID:10936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        170⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        169⤵
        Drops file in System32 directory
        
        PID:11044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604718.bat
        170⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        171⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        170⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604781.bat
        171⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        172⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        171⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604875.bat
        172⤵
        
        PID:8640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        172⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240604953.bat
        173⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        173⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605046.bat
        174⤵
        
        PID:10428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        174⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605078.bat
        175⤵
        
        PID:8860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        176⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        175⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605125.bat
        176⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        176⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605171.bat
        177⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        177⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605203.bat
        178⤵
        
        PID:10720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        178⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605218.bat
        179⤵
        
        PID:10516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        179⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605312.bat
        180⤵
        
        PID:9484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        180⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605328.bat
        181⤵
        
        PID:10872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        181⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605390.bat
        182⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        182⤵
        
        PID:11096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605421.bat
        183⤵
        
        PID:11144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        183⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605500.bat
        184⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayEZZEZZ1040.exe" -r -a -s -h
        185⤵
        Drops file in System32 directory
        
        PID:11128
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        184⤵
        Drops file in System32 directory
        
        PID:11356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605531.bat
        185⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        185⤵
        
        PID:11452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605625.bat
        186⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        186⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605671.bat
        187⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        187⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605687.bat
        188⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        188⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605718.bat
        189⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        189⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605812.bat
        190⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        190⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605859.bat
        191⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        191⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d2b282ef026d240605921.bat
        192⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\ayEZZEZZ1040.exe
        
        C:\Windows\system32\ayEZZEZZ1040.exe
        192⤵
        
        PID:6404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ayEZZEZZ1040.exe

Filesize
6KB

MD5
0167f07d17a27ca5b585b4ea8b31c48c

SHA1
72dfc10b896e88199f980fa5bb72021f7766f866

SHA256
eeec18fb099dd4d469bd2bf0f27e49248b47dfb0917ae5a7847574148af949ec

SHA512
96e88eae03ad5b1f4dafc783ff34fa6f069f3be03f69511d1e05964c24009d04f02a5926e35865991b3bbb713e321405c3179dc99e090900495d17ca4d18b8fa

Download Submit
C:\d2b282ef026d240596640.bat

Filesize
188B

MD5
1a7a6c10bb7d283bb6a640e03628b57e

SHA1
b36b1090e7e2f26727df2ead78d6d063f2b5c2ef

SHA256
579b852cda40aceb7df498872dbb41e77a395926fcc481c0a758c3df67c9c570

SHA512
00b1055c1342093c515abdb338448e054f0a01ec27d56eae0443c196e9308613a9bef8b5e0943a50feb14a310f481c129e43318305cd21a0c30e486bb0cd362c

Download Submit
\??\c:\d2b282ef026d240596578.bat

Filesize
332B

MD5
06618309b98d0c5b95b45e70f844ab42

SHA1
75c5ed9861c5d93d8319334c241f87cc4f807454

SHA256
b68b3f2c245346be5bdc239c3d2ed65344b468da60343326241a4409fa03ce63

SHA512
5c3ff0a3fe9f9520d0ee035f171e7b278f620186f1869af7937a3b766aca04616ee2d081ada266163f6440b197754eab37f8d94049e89d828421f22a7c94b514

Download Submit
memory/13460-562-0x00007FFDEC5A0000-0x00007FFDEC623000-memory.dmp

Filesize
524KB

Download