9c244f8b7bbab4cf838bb621cada0de30ceb47c418774654d366821c8b09be5e

Analysis

max time kernel
72s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe
Size

10KB
MD5

0219170f84906e167a69ac75f6433bfb
SHA1

71092e256a6a965152cb97edf7b63f2a78891930
SHA256

9c244f8b7bbab4cf838bb621cada0de30ceb47c418774654d366821c8b09be5e
SHA512

fe185854c5f304d229953e4d7916d5f8198a4c1a179de3263240acdf01201a1ea004e30d86757c4b97caafe0d8924375cd7ebf00ea493afc764c62fc5bb6d31e
SSDEEP

192:YcS/tqlXq/Sa5JZnsIscFJfsiIszV7pcZlmbbfrOo6gydyZ:YcS/V/SoznhFJUiXzli6/fB6gyd4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1136	ayCBDCBD1041.exe
2604	ayCBDCBD1041.exe
2588	ayCBDCBD1041.exe
2744	ayCBDCBD1041.exe
768	ayCBDCBD1041.exe
2212	ayCBDCBD1041.exe
1516	ayCBDCBD1041.exe
2016	ayCBDCBD1041.exe
1724	ayCBDCBD1041.exe
596	ayCBDCBD1041.exe
1908	ayCBDCBD1041.exe
1768	ayCBDCBD1041.exe
1860	ayCBDCBD1041.exe
2308	ayCBDCBD1041.exe
2392	ayCBDCBD1041.exe
2608	ayCBDCBD1041.exe
3036	ayCBDCBD1041.exe
2040	ayCBDCBD1041.exe
1096	ayCBDCBD1041.exe
560	ayCBDCBD1041.exe
2256	ayCBDCBD1041.exe
1600	ayCBDCBD1041.exe
1492	ayCBDCBD1041.exe
1872	ayCBDCBD1041.exe
336	ayCBDCBD1041.exe
960	ayCBDCBD1041.exe
2820	ayCBDCBD1041.exe
1400	ayCBDCBD1041.exe
880	ayCBDCBD1041.exe
1840	ayCBDCBD1041.exe
548	ayCBDCBD1041.exe
1916	ayCBDCBD1041.exe
2716	ayCBDCBD1041.exe
2628	ayCBDCBD1041.exe
940	ayCBDCBD1041.exe
2008	ayCBDCBD1041.exe
2172	ayCBDCBD1041.exe
3060	ayCBDCBD1041.exe
1532	ayCBDCBD1041.exe
3000	ayCBDCBD1041.exe
2304	ayCBDCBD1041.exe
1720	ayCBDCBD1041.exe
2876	ayCBDCBD1041.exe
2448	ayCBDCBD1041.exe
2628	ayCBDCBD1041.exe
1428	ayCBDCBD1041.exe
2872	ayCBDCBD1041.exe
3060	ayCBDCBD1041.exe
880	ayCBDCBD1041.exe
1108	ayCBDCBD1041.exe
1700	ayCBDCBD1041.exe
360	ayCBDCBD1041.exe
956	ayCBDCBD1041.exe
1808	ayCBDCBD1041.exe
2868	ayCBDCBD1041.exe
1612	ayCBDCBD1041.exe
2284	ayCBDCBD1041.exe
3240	ayCBDCBD1041.exe
3588	ayCBDCBD1041.exe
4012	ayCBDCBD1041.exe
3164	ayCBDCBD1041.exe
3116	ayCBDCBD1041.exe
3716	ayCBDCBD1041.exe
4016	ayCBDCBD1041.exe

Loads dropped DLL 64 IoCs

pid	Process
2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe
2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe
1136	ayCBDCBD1041.exe
1136	ayCBDCBD1041.exe
2604	ayCBDCBD1041.exe
2604	ayCBDCBD1041.exe
2588	ayCBDCBD1041.exe
2588	ayCBDCBD1041.exe
2744	ayCBDCBD1041.exe
2744	ayCBDCBD1041.exe
768	ayCBDCBD1041.exe
768	ayCBDCBD1041.exe
2212	ayCBDCBD1041.exe
2212	ayCBDCBD1041.exe
1516	ayCBDCBD1041.exe
1516	ayCBDCBD1041.exe
2016	ayCBDCBD1041.exe
2016	ayCBDCBD1041.exe
1724	ayCBDCBD1041.exe
1724	ayCBDCBD1041.exe
596	ayCBDCBD1041.exe
596	ayCBDCBD1041.exe
1908	ayCBDCBD1041.exe
1908	ayCBDCBD1041.exe
1768	ayCBDCBD1041.exe
1768	ayCBDCBD1041.exe
1860	ayCBDCBD1041.exe
1860	ayCBDCBD1041.exe
2308	ayCBDCBD1041.exe
2308	ayCBDCBD1041.exe
2392	ayCBDCBD1041.exe
2392	ayCBDCBD1041.exe
2608	ayCBDCBD1041.exe
2608	ayCBDCBD1041.exe
3036	ayCBDCBD1041.exe
3036	ayCBDCBD1041.exe
2040	ayCBDCBD1041.exe
2040	ayCBDCBD1041.exe
1096	ayCBDCBD1041.exe
1096	ayCBDCBD1041.exe
560	ayCBDCBD1041.exe
560	ayCBDCBD1041.exe
2256	ayCBDCBD1041.exe
2256	ayCBDCBD1041.exe
1600	ayCBDCBD1041.exe
1600	ayCBDCBD1041.exe
1492	ayCBDCBD1041.exe
1492	ayCBDCBD1041.exe
1872	ayCBDCBD1041.exe
1872	ayCBDCBD1041.exe
336	ayCBDCBD1041.exe
336	ayCBDCBD1041.exe
960	ayCBDCBD1041.exe
960	ayCBDCBD1041.exe
2820	ayCBDCBD1041.exe
2820	ayCBDCBD1041.exe
1400	ayCBDCBD1041.exe
1400	ayCBDCBD1041.exe
880	ayCBDCBD1041.exe
880	ayCBDCBD1041.exe
1840	ayCBDCBD1041.exe
1840	ayCBDCBD1041.exe
548	ayCBDCBD1041.exe
548	ayCBDCBD1041.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2880	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2880	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2880	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	28
PID 2188 wrote to memory of 2880	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	28
PID 2188 wrote to memory of 1136	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	29
PID 2188 wrote to memory of 1136	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	29
PID 2188 wrote to memory of 1136	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	29
PID 2188 wrote to memory of 1136	2188	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	29
PID 1136 wrote to memory of 2596	1136	ayCBDCBD1041.exe	31
PID 1136 wrote to memory of 2596	1136	ayCBDCBD1041.exe	31
PID 1136 wrote to memory of 2596	1136	ayCBDCBD1041.exe	31
PID 1136 wrote to memory of 2596	1136	ayCBDCBD1041.exe	31
PID 1136 wrote to memory of 2604	1136	ayCBDCBD1041.exe	32
PID 1136 wrote to memory of 2604	1136	ayCBDCBD1041.exe	32
PID 1136 wrote to memory of 2604	1136	ayCBDCBD1041.exe	32
PID 1136 wrote to memory of 2604	1136	ayCBDCBD1041.exe	32
PID 2604 wrote to memory of 2580	2604	ayCBDCBD1041.exe	34
PID 2604 wrote to memory of 2580	2604	ayCBDCBD1041.exe	34
PID 2604 wrote to memory of 2580	2604	ayCBDCBD1041.exe	34
PID 2604 wrote to memory of 2580	2604	ayCBDCBD1041.exe	34
PID 2604 wrote to memory of 2588	2604	ayCBDCBD1041.exe	35
PID 2604 wrote to memory of 2588	2604	ayCBDCBD1041.exe	35
PID 2604 wrote to memory of 2588	2604	ayCBDCBD1041.exe	35
PID 2604 wrote to memory of 2588	2604	ayCBDCBD1041.exe	35
PID 2588 wrote to memory of 2792	2588	ayCBDCBD1041.exe	37
PID 2588 wrote to memory of 2792	2588	ayCBDCBD1041.exe	37
PID 2588 wrote to memory of 2792	2588	ayCBDCBD1041.exe	37
PID 2588 wrote to memory of 2792	2588	ayCBDCBD1041.exe	37
PID 2880 wrote to memory of 2496	2880	cmd.exe	40
PID 2596 wrote to memory of 2704	2596	cmd.exe	41
PID 2880 wrote to memory of 2496	2880	cmd.exe	40
PID 2880 wrote to memory of 2496	2880	cmd.exe	40
PID 2880 wrote to memory of 2496	2880	cmd.exe	40
PID 2596 wrote to memory of 2704	2596	cmd.exe	41
PID 2596 wrote to memory of 2704	2596	cmd.exe	41
PID 2596 wrote to memory of 2704	2596	cmd.exe	41
PID 2588 wrote to memory of 2744	2588	ayCBDCBD1041.exe	38
PID 2588 wrote to memory of 2744	2588	ayCBDCBD1041.exe	38
PID 2588 wrote to memory of 2744	2588	ayCBDCBD1041.exe	38
PID 2588 wrote to memory of 2744	2588	ayCBDCBD1041.exe	38
PID 2580 wrote to memory of 2456	2580	cmd.exe	42
PID 2580 wrote to memory of 2456	2580	cmd.exe	42
PID 2580 wrote to memory of 2456	2580	cmd.exe	42
PID 2580 wrote to memory of 2456	2580	cmd.exe	42
PID 2744 wrote to memory of 2576	2744	ayCBDCBD1041.exe	44
PID 2744 wrote to memory of 2576	2744	ayCBDCBD1041.exe	44
PID 2744 wrote to memory of 2576	2744	ayCBDCBD1041.exe	44
PID 2744 wrote to memory of 2576	2744	ayCBDCBD1041.exe	44
PID 2596 wrote to memory of 2516	2596	cmd.exe	43
PID 2596 wrote to memory of 2516	2596	cmd.exe	43
PID 2596 wrote to memory of 2516	2596	cmd.exe	43
PID 2596 wrote to memory of 2516	2596	cmd.exe	43
PID 2744 wrote to memory of 768	2744	ayCBDCBD1041.exe	45
PID 2744 wrote to memory of 768	2744	ayCBDCBD1041.exe	45
PID 2744 wrote to memory of 768	2744	ayCBDCBD1041.exe	45
PID 2744 wrote to memory of 768	2744	ayCBDCBD1041.exe	45
PID 768 wrote to memory of 2900	768	ayCBDCBD1041.exe	47
PID 768 wrote to memory of 2900	768	ayCBDCBD1041.exe	47
PID 768 wrote to memory of 2900	768	ayCBDCBD1041.exe	47
PID 768 wrote to memory of 2900	768	ayCBDCBD1041.exe	47
PID 768 wrote to memory of 2212	768	ayCBDCBD1041.exe	48
PID 768 wrote to memory of 2212	768	ayCBDCBD1041.exe	48
PID 768 wrote to memory of 2212	768	ayCBDCBD1041.exe	48
PID 768 wrote to memory of 2212	768	ayCBDCBD1041.exe	48

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6836	Process not Found
11332	Process not Found
12996	Process not Found
7280	Process not Found
7708	Process not Found
8632	Process not Found
17472	Process not Found
3932	attrib.exe
3828	Process not Found
4144	Process not Found
16660	Process not Found
1672	attrib.exe
3272	Process not Found
9348	Process not Found
3192	Process not Found
9004	Process not Found
8492	Process not Found
16472	Process not Found
1844	attrib.exe
4468	Process not Found
3996	Process not Found
4604	Process not Found
9244	Process not Found
9952	Process not Found
4684	Process not Found
7680	Process not Found
9608	Process not Found
3532	Process not Found
6164	Process not Found
1412	Process not Found
1084	Process not Found
4504	Process not Found
16572	Process not Found
11644	Process not Found
17060	Process not Found
4724	Process not Found
9128	Process not Found
3356	Process not Found
4732	Process not Found
4476	Process not Found
12324	Process not Found
10032	Process not Found
1516	Process not Found
11544	Process not Found
13092	Process not Found
11144	Process not Found
14188	Process not Found
1492	Process not Found
6304	Process not Found
9592	Process not Found
14120	Process not Found
6520	Process not Found
12972	Process not Found
4572	Process not Found
16120	Process not Found
3396	Process not Found
3776	Process not Found
5872	Process not Found
2632	Process not Found
932	Process not Found
4368	Process not Found
15640	Process not Found
13764	Process not Found
12188	Process not Found

C:\Users\Admin\AppData\Local\Temp\0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\ca69b18ee8c2259392440.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2496
- C:\Windows\SysWOW64\ayCBDCBD1041.exe
  C:\Windows\system32\ayCBDCBD1041.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\ca69b18ee8c2259392487.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:2060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3280
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:3552
- - C:\Windows\SysWOW64\ayCBDCBD1041.exe
    C:\Windows\system32\ayCBDCBD1041.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\ca69b18ee8c2259392503.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2060
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:620
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:3456
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:3316
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:3508
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:3240
  - - C:\Windows\SysWOW64\ayCBDCBD1041.exe
      C:\Windows\system32\ayCBDCBD1041.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392534.bat
        5⤵
        
        PID:2792
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1716
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:328
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1376
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2276
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2508
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2004
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1516
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2304
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2528
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1724
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2880
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1612
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:3664
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2672
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:3948
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:2528
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:3932
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392550.bat
        6⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:3396
      - C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392565.bat
        7⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392581.bat
        8⤵
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392596.bat
        9⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392612.bat
        10⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392674.bat
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392706.bat
        12⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392737.bat
        13⤵
        
        PID:452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392799.bat
        14⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392846.bat
        15⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392877.bat
        16⤵
        
        PID:896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259392971.bat
        17⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393049.bat
        18⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393220.bat
        19⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393267.bat
        20⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393283.bat
        21⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393314.bat
        22⤵
        
        PID:748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393330.bat
        23⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393330.bat
        24⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393345.bat
        25⤵
        
        PID:684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393361.bat
        26⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393376.bat
        27⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        Views/modifies file attributes
        
        PID:1844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393392.bat
        28⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393392.bat
        29⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393408.bat
        30⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393439.bat
        31⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393439.bat
        32⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393454.bat
        33⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        33⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393470.bat
        34⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        34⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393486.bat
        35⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        35⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393501.bat
        36⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        36⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393517.bat
        37⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        37⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393532.bat
        38⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        38⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393548.bat
        39⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        39⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393564.bat
        40⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        40⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393579.bat
        41⤵
        
        PID:980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        41⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393595.bat
        42⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        42⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393595.bat
        43⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        43⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393610.bat
        44⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        44⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393626.bat
        45⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        45⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393642.bat
        46⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        46⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393657.bat
        47⤵
        
        PID:900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        47⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393673.bat
        48⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        48⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393688.bat
        49⤵
        
        PID:632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:560
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        49⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393704.bat
        50⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        50⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259393782.bat
        51⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        51⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259394546.bat
        52⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        52⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259394812.bat
        53⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        53⤵
        Executes dropped EXE
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259395124.bat
        54⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        54⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259395529.bat
        55⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259395950.bat
        56⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        56⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259396434.bat
        57⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        57⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259397089.bat
        58⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        58⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259397495.bat
        59⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        59⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259398056.bat
        60⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259398696.bat
        61⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        61⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259398977.bat
        62⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        62⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259399320.bat
        63⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        63⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259399819.bat
        64⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        64⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259400396.bat
        65⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        65⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259401036.bat
        66⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        67⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        67⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        67⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        66⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259401847.bat
        67⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        67⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259402237.bat
        68⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        68⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259402877.bat
        69⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        70⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        69⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259403111.bat
        70⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        71⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        70⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259403938.bat
        71⤵
        
        PID:3632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-490608927-15615554244827520871703060795-551041125-6670309271828419610-1644073943"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2094358828166357353618747556321036160568-1730940871851888258-1760896118243635741"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1366705755337783171099873255210232686-681014883-8473631361624109492-1472330940"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7489856661662843473-26707876352854045610520885291169404398-1230603117357856919"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1673011667-2047020128-488072506-1073782514-729772204-494029422-4152207231687984674"
1⤵
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2132749517-1140533508127387575815122069327857598062014698885202869682-1791173875"
1⤵
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "562339852-18876831462015526293-2008326120-1640519111-966120670-631105002-279516321"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-166522582614174196969607096592859849732696984291625854111-2129787013-1628177697"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-32453400-18979483481073861730-784617996-195269177-1056636892-1550956744-1823508320"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "72568069710307859321634513807-1641055664-6620712491341679720-1789314035522349749"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-439233493-1751049457-528290007581930971-1584544868-739483551-6235474961116594963"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "128749724916462266271774381064-2030179742282584324-83413271216950650211958134907"
1⤵
PID:1364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "121327565216041242401896653305-19213073681753153107-1952726100-1568004469121657032"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-737314886170307287719378739361091282209-933063507-716479701889086435-1577486584"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1386230032146152120911940649852141402176-1746258592475188920-1015672578-1488319840"
1⤵
PID:568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7429095418824905243555329-20256008791591819769-862373822-18734442691185000243"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10155641681881445886-982311766-2010630128559173606-528405696618641701744583592"
1⤵
PID:3140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "191207180-1687541172-16873063868659026711106620669-8375529151463857632-1854506322"
1⤵
PID:3712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "70472292906260724515073404730826390-7798718-57007328116089412811457943325"
1⤵
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-677270431439939550-9650967-1409625866-769295572192570111-517965386-524523101"
1⤵
PID:3572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2237957317931779901190158725-1241615561898448343768528841-450655469-495789628"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "165448456015810466731639650240-4490577221103102724-528430742-19885614321123754311"
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ayCBDCBD1041.exe

Filesize
10KB

MD5
0219170f84906e167a69ac75f6433bfb

SHA1
71092e256a6a965152cb97edf7b63f2a78891930

SHA256
9c244f8b7bbab4cf838bb621cada0de30ceb47c418774654d366821c8b09be5e

SHA512
fe185854c5f304d229953e4d7916d5f8198a4c1a179de3263240acdf01201a1ea004e30d86757c4b97caafe0d8924375cd7ebf00ea493afc764c62fc5bb6d31e

Download Submit
C:\ca69b18ee8c2259392440.bat

Filesize
332B

MD5
2e351f3559f33f284c54bf1b757f73c4

SHA1
e3b536877d4d3ad07af4d110cb64a3b7efecf2ff

SHA256
2bff2a07ecb55759de7aa9c4d399fc89b85a039ecbccb1b5e168d731bfded7d3

SHA512
b023782f45ff78ab018dac7cf24b1fd80edd39802db357a472bc6a03c95e154ee8607ad63fe14bd1b4326c0c1d32ad8d600f0da960699f5c37783b686df46ebf

Download Submit
C:\ca69b18ee8c2259392487.bat

Filesize
188B

MD5
0f3312155135cf396aa19d19003e0e01

SHA1
e2f13247fe520126c41f13dff02ae3c578d40e37

SHA256
6ba5bcd648c655c5eb7c6c07732c2f878d2276d0c685df01d763bfc77b770ab4

SHA512
e2611c6f7b2d5d2e4cfb50291ac9ef1fddc218a97dff3546ebe4e0c8c41d358da8652c5aa42ab224b72d66ae21f576b43f24cae7fc1859442d742a649af9f273

Download Submit
memory/1840-266-0x0000000077390000-0x000000007748A000-memory.dmp

Filesize
1000KB

Download
memory/1840-265-0x0000000077270000-0x000000007738F000-memory.dmp

Filesize
1.1MB

Download