9c244f8b7bbab4cf838bb621cada0de30ceb47c418774654d366821c8b09be5e

Analysis

max time kernel
43s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe
Size

10KB
MD5

0219170f84906e167a69ac75f6433bfb
SHA1

71092e256a6a965152cb97edf7b63f2a78891930
SHA256

9c244f8b7bbab4cf838bb621cada0de30ceb47c418774654d366821c8b09be5e
SHA512

fe185854c5f304d229953e4d7916d5f8198a4c1a179de3263240acdf01201a1ea004e30d86757c4b97caafe0d8924375cd7ebf00ea493afc764c62fc5bb6d31e
SSDEEP

192:YcS/tqlXq/Sa5JZnsIscFJfsiIszV7pcZlmbbfrOo6gydyZ:YcS/V/SoznhFJUiXzli6/fB6gyd4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4524	ayCBDCBD1041.exe
1564	ayCBDCBD1041.exe
4356	ayCBDCBD1041.exe
2344	ayCBDCBD1041.exe
3708	ayCBDCBD1041.exe
2268	ayCBDCBD1041.exe
4164	ayCBDCBD1041.exe
4176	ayCBDCBD1041.exe
3972	ayCBDCBD1041.exe
448	ayCBDCBD1041.exe
2168	ayCBDCBD1041.exe
1060	ayCBDCBD1041.exe
3168	ayCBDCBD1041.exe
2000	ayCBDCBD1041.exe
2644	ayCBDCBD1041.exe
4112	ayCBDCBD1041.exe
4996	ayCBDCBD1041.exe
4788	ayCBDCBD1041.exe
4184	ayCBDCBD1041.exe
512	ayCBDCBD1041.exe
1500	ayCBDCBD1041.exe
2260	ayCBDCBD1041.exe
2720	ayCBDCBD1041.exe
3492	ayCBDCBD1041.exe
1504	ayCBDCBD1041.exe
4420	ayCBDCBD1041.exe
1228	ayCBDCBD1041.exe
2332	ayCBDCBD1041.exe
4500	ayCBDCBD1041.exe
1448	ayCBDCBD1041.exe
3668	ayCBDCBD1041.exe
4404	ayCBDCBD1041.exe
2124	ayCBDCBD1041.exe
3552	ayCBDCBD1041.exe
3364	ayCBDCBD1041.exe
876	ayCBDCBD1041.exe
4128	ayCBDCBD1041.exe
5000	ayCBDCBD1041.exe
2436	ayCBDCBD1041.exe
3500	ayCBDCBD1041.exe
1448	ayCBDCBD1041.exe
2344	ayCBDCBD1041.exe
4036	ayCBDCBD1041.exe
2720	ayCBDCBD1041.exe
3604	ayCBDCBD1041.exe
5164	ayCBDCBD1041.exe
5236	ayCBDCBD1041.exe
5348	ayCBDCBD1041.exe
5452	ayCBDCBD1041.exe
5512	ayCBDCBD1041.exe
5588	ayCBDCBD1041.exe
5628	ayCBDCBD1041.exe
5740	ayCBDCBD1041.exe
5864	ayCBDCBD1041.exe
5964	ayCBDCBD1041.exe
6092	ayCBDCBD1041.exe
5128	ayCBDCBD1041.exe
5428	ayCBDCBD1041.exe
5576	ayCBDCBD1041.exe
5952	ayCBDCBD1041.exe
5172	ayCBDCBD1041.exe
5408	ayCBDCBD1041.exe
5336	ayCBDCBD1041.exe
6080	ayCBDCBD1041.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	ayCBDCBD1041.exe
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayCBDCBD1041.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 3024	1816	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	82
PID 1816 wrote to memory of 3024	1816	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	82
PID 1816 wrote to memory of 3024	1816	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	82
PID 1816 wrote to memory of 4524	1816	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	83
PID 1816 wrote to memory of 4524	1816	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	83
PID 1816 wrote to memory of 4524	1816	0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe	83
PID 4524 wrote to memory of 4824	4524	ayCBDCBD1041.exe	85
PID 4524 wrote to memory of 4824	4524	ayCBDCBD1041.exe	85
PID 4524 wrote to memory of 4824	4524	ayCBDCBD1041.exe	85
PID 4524 wrote to memory of 1564	4524	ayCBDCBD1041.exe	86
PID 4524 wrote to memory of 1564	4524	ayCBDCBD1041.exe	86
PID 4524 wrote to memory of 1564	4524	ayCBDCBD1041.exe	86
PID 1564 wrote to memory of 4264	1564	ayCBDCBD1041.exe	88
PID 1564 wrote to memory of 4264	1564	ayCBDCBD1041.exe	88
PID 1564 wrote to memory of 4264	1564	ayCBDCBD1041.exe	88
PID 1564 wrote to memory of 4356	1564	ayCBDCBD1041.exe	89
PID 1564 wrote to memory of 4356	1564	ayCBDCBD1041.exe	89
PID 1564 wrote to memory of 4356	1564	ayCBDCBD1041.exe	89
PID 4356 wrote to memory of 2924	4356	ayCBDCBD1041.exe	91
PID 4356 wrote to memory of 2924	4356	ayCBDCBD1041.exe	91
PID 4356 wrote to memory of 2924	4356	ayCBDCBD1041.exe	91
PID 4356 wrote to memory of 2344	4356	ayCBDCBD1041.exe	246
PID 4356 wrote to memory of 2344	4356	ayCBDCBD1041.exe	246
PID 4356 wrote to memory of 2344	4356	ayCBDCBD1041.exe	246
PID 2344 wrote to memory of 4092	2344	ayCBDCBD1041.exe	94
PID 2344 wrote to memory of 4092	2344	ayCBDCBD1041.exe	94
PID 2344 wrote to memory of 4092	2344	ayCBDCBD1041.exe	94
PID 2344 wrote to memory of 3708	2344	ayCBDCBD1041.exe	95
PID 2344 wrote to memory of 3708	2344	ayCBDCBD1041.exe	95
PID 2344 wrote to memory of 3708	2344	ayCBDCBD1041.exe	95
PID 3708 wrote to memory of 2596	3708	ayCBDCBD1041.exe	97
PID 3708 wrote to memory of 2596	3708	ayCBDCBD1041.exe	97
PID 3708 wrote to memory of 2596	3708	ayCBDCBD1041.exe	97
PID 3708 wrote to memory of 2268	3708	ayCBDCBD1041.exe	98
PID 3708 wrote to memory of 2268	3708	ayCBDCBD1041.exe	98
PID 3708 wrote to memory of 2268	3708	ayCBDCBD1041.exe	98
PID 3024 wrote to memory of 4036	3024	cmd.exe	251
PID 3024 wrote to memory of 4036	3024	cmd.exe	251
PID 3024 wrote to memory of 4036	3024	cmd.exe	251
PID 2268 wrote to memory of 4148	2268	ayCBDCBD1041.exe	101
PID 2268 wrote to memory of 4148	2268	ayCBDCBD1041.exe	101
PID 2268 wrote to memory of 4148	2268	ayCBDCBD1041.exe	101
PID 2268 wrote to memory of 4164	2268	ayCBDCBD1041.exe	102
PID 2268 wrote to memory of 4164	2268	ayCBDCBD1041.exe	102
PID 2268 wrote to memory of 4164	2268	ayCBDCBD1041.exe	102
PID 4164 wrote to memory of 3176	4164	ayCBDCBD1041.exe	104
PID 4164 wrote to memory of 3176	4164	ayCBDCBD1041.exe	104
PID 4164 wrote to memory of 3176	4164	ayCBDCBD1041.exe	104
PID 4164 wrote to memory of 4176	4164	ayCBDCBD1041.exe	176
PID 4164 wrote to memory of 4176	4164	ayCBDCBD1041.exe	176
PID 4164 wrote to memory of 4176	4164	ayCBDCBD1041.exe	176
PID 4824 wrote to memory of 1636	4824	cmd.exe	107
PID 4824 wrote to memory of 1636	4824	cmd.exe	107
PID 4824 wrote to memory of 1636	4824	cmd.exe	107
PID 4176 wrote to memory of 4004	4176	ayCBDCBD1041.exe	108
PID 4176 wrote to memory of 4004	4176	ayCBDCBD1041.exe	108
PID 4176 wrote to memory of 4004	4176	ayCBDCBD1041.exe	108
PID 4176 wrote to memory of 3972	4176	ayCBDCBD1041.exe	109
PID 4176 wrote to memory of 3972	4176	ayCBDCBD1041.exe	109
PID 4176 wrote to memory of 3972	4176	ayCBDCBD1041.exe	109
PID 3972 wrote to memory of 1812	3972	ayCBDCBD1041.exe	112
PID 3972 wrote to memory of 1812	3972	ayCBDCBD1041.exe	112
PID 3972 wrote to memory of 1812	3972	ayCBDCBD1041.exe	112
PID 2924 wrote to memory of 1340	2924	cmd.exe	111

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
9540	Process not Found
11344	Process not Found
8872	attrib.exe
9904	attrib.exe
10344	attrib.exe
11388	attrib.exe
5052	Process not Found
12620	Process not Found
5648	attrib.exe
14208	Process not Found
13428	Process not Found
11988	Process not Found
10780	attrib.exe
12960	Process not Found
10168	attrib.exe
4788	attrib.exe
6464	attrib.exe
6804	attrib.exe
11884	Process not Found
13812	Process not Found
4036	attrib.exe
9704	attrib.exe
10656	attrib.exe
5172	attrib.exe
9320	attrib.exe
12624	Process not Found
10344	attrib.exe
11628	Process not Found
13580	Process not Found
14252	Process not Found
9324	attrib.exe
8672	attrib.exe
8912	attrib.exe
13148	Process not Found
10756	Process not Found
6516	attrib.exe
7164	attrib.exe
9692	Process not Found
11828	Process not Found
5628	attrib.exe
8708	Process not Found
11388	Process not Found
8808	attrib.exe
6100	attrib.exe
7424	attrib.exe
7976	attrib.exe
9100	attrib.exe
8872	attrib.exe
14068	Process not Found
6892	attrib.exe
11048	attrib.exe
13240	Process not Found
12624	Process not Found
12440	Process not Found
7196	attrib.exe
5404	attrib.exe
5272	attrib.exe
7752	attrib.exe
8672	attrib.exe
7360	attrib.exe
9052	attrib.exe
11552	Process not Found
2436	attrib.exe
11744	Process not Found

C:\Users\Admin\AppData\Local\Temp\0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599656.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\0219170f84906e167a69ac75f6433bfb_JaffaCakes118.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:4036
- C:\Windows\SysWOW64\ayCBDCBD1041.exe
  C:\Windows\system32\ayCBDCBD1041.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599687.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:5328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:6732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:6732
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:9220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
      4⤵
      PID:9864
- - C:\Windows\SysWOW64\ayCBDCBD1041.exe
    C:\Windows\system32\ayCBDCBD1041.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599718.bat
      4⤵
      PID:4264
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:4404
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:2016
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:6288
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:7296
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:8720
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        5⤵
        
        PID:7304
  - - C:\Windows\SysWOW64\ayCBDCBD1041.exe
      C:\Windows\system32\ayCBDCBD1041.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599734.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:1340
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:4520
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:6112
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:6060
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:6892
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:8628
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:7400
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:8680
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:10864
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:10552
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        6⤵
        
        PID:11628
    - - C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599765.bat
        6⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        Views/modifies file attributes
        
        PID:5404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        7⤵
        
        PID:11088
      - C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599796.bat
        7⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        8⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599859.bat
        8⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        Views/modifies file attributes
        
        PID:5172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        9⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599890.bat
        9⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        10⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599921.bat
        10⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        11⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599937.bat
        11⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        12⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        11⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240599984.bat
        12⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        Views/modifies file attributes
        
        PID:7196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        13⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        12⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600000.bat
        13⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        14⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        13⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600031.bat
        14⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        Views/modifies file attributes
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        15⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        14⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600062.bat
        15⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        16⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        15⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600109.bat
        16⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        17⤵
        Drops file in System32 directory
        
        PID:7764
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        16⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600140.bat
        17⤵
        
        PID:840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:2436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        18⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        17⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600187.bat
        18⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        Views/modifies file attributes
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        19⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        18⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600234.bat
        19⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        20⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        19⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600250.bat
        20⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        Views/modifies file attributes
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        21⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        20⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600296.bat
        21⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        Drops file in System32 directory
        
        PID:10016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        22⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        21⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600343.bat
        22⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        23⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        22⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600375.bat
        23⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        Views/modifies file attributes
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        Drops file in System32 directory
        
        PID:8552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        24⤵
        Views/modifies file attributes
        
        PID:11048
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        23⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600406.bat
        24⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        25⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        24⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600468.bat
        25⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        26⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        25⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600500.bat
        26⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        27⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        26⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600546.bat
        27⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        Views/modifies file attributes
        
        PID:6464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        28⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600578.bat
        28⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        29⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        28⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600625.bat
        29⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        
        PID:9992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        30⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600671.bat
        30⤵
        
        PID:448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        31⤵
        Views/modifies file attributes
        
        PID:9052
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        30⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600718.bat
        31⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        32⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        31⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600765.bat
        32⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        33⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        32⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600781.bat
        33⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        34⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        33⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600812.bat
        34⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        35⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        34⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600828.bat
        35⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        36⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        35⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600906.bat
        36⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        Drops file in System32 directory
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        37⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        36⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240600968.bat
        37⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        38⤵
        Views/modifies file attributes
        
        PID:9704
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        37⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601046.bat
        38⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        39⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        38⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601093.bat
        39⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        40⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        39⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601125.bat
        40⤵
        
        PID:1920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        Drops file in System32 directory
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        41⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601140.bat
        41⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:8660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        42⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        41⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601187.bat
        42⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        43⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        42⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601234.bat
        43⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        44⤵
        Views/modifies file attributes
        
        PID:8872
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        43⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601296.bat
        44⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        45⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        44⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601312.bat
        45⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        46⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        45⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601390.bat
        46⤵
        
        PID:1500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        Views/modifies file attributes
        
        PID:5648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        Views/modifies file attributes
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        47⤵
        Views/modifies file attributes
        
        PID:9320
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        46⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601421.bat
        47⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        Views/modifies file attributes
        
        PID:5628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        48⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        47⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601453.bat
        48⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        49⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        48⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601546.bat
        49⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        50⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601562.bat
        50⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        51⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        50⤵
        Executes dropped EXE
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601593.bat
        51⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        52⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        51⤵
        Executes dropped EXE
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601640.bat
        52⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        53⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        52⤵
        Executes dropped EXE
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601656.bat
        53⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        Views/modifies file attributes
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        54⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        53⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601687.bat
        54⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        55⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        54⤵
        Executes dropped EXE
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601734.bat
        55⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        56⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        55⤵
        Executes dropped EXE
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601796.bat
        56⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        Drops file in System32 directory
        
        PID:8200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        57⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        56⤵
        Executes dropped EXE
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601859.bat
        57⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        58⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        57⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601937.bat
        58⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        59⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        58⤵
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240601984.bat
        59⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        Views/modifies file attributes
        
        PID:9100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        60⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        59⤵
        Executes dropped EXE
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602015.bat
        60⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:10780
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        60⤵
        Executes dropped EXE
        
        PID:5576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602062.bat
        61⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        62⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        61⤵
        Executes dropped EXE
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602140.bat
        62⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        63⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        62⤵
        Executes dropped EXE
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602171.bat
        63⤵
        
        PID:5776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        64⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        63⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602203.bat
        64⤵
        
        PID:5904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        Views/modifies file attributes
        
        PID:6516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        65⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        64⤵
        Executes dropped EXE
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602234.bat
        65⤵
        
        PID:5372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        Views/modifies file attributes
        
        PID:5272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        66⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        65⤵
        Executes dropped EXE
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602296.bat
        66⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        67⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        67⤵
        Views/modifies file attributes
        
        PID:8872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        67⤵
        Drops file in System32 directory
        
        PID:10300
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        66⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602343.bat
        67⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        68⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        67⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602375.bat
        68⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        69⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        68⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602390.bat
        69⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        70⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        70⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        70⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        70⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        70⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        69⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602453.bat
        70⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        71⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        71⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        71⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        71⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        71⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        70⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602531.bat
        71⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        72⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        72⤵
        Views/modifies file attributes
        
        PID:7752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        72⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        72⤵
        Views/modifies file attributes
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        72⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        71⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602546.bat
        72⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        73⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        73⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        73⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        73⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        73⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        73⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        72⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602578.bat
        73⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        74⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        74⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        74⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        74⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        73⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602625.bat
        74⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        75⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        75⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        75⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        75⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        75⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        74⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602718.bat
        75⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        76⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        76⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        76⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        76⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        76⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        76⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        75⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602734.bat
        76⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        77⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        77⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        77⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        77⤵
        Drops file in System32 directory
        
        PID:10952
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        76⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602765.bat
        77⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        78⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        78⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        78⤵
        Drops file in System32 directory
        
        PID:10248
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        77⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602796.bat
        78⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        79⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        79⤵
        Views/modifies file attributes
        
        PID:7164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        79⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        79⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        78⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602843.bat
        79⤵
        
        PID:6212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        80⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        80⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        80⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        79⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602890.bat
        80⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        81⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        81⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        81⤵
        Drops file in System32 directory
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        81⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        80⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240602921.bat
        81⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        82⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        82⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        82⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        82⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        81⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603000.bat
        82⤵
        
        PID:6352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        83⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        83⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        83⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        82⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603015.bat
        83⤵
        
        PID:5980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        84⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        84⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        84⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:10168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        84⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        83⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603093.bat
        84⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        85⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        85⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        85⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        84⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603125.bat
        85⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        86⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        86⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        86⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        85⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603156.bat
        86⤵
        
        PID:6504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        87⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        87⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        87⤵
        Views/modifies file attributes
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        87⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        86⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603250.bat
        87⤵
        
        PID:6168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        88⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        88⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        88⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        87⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603328.bat
        88⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        89⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        89⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        89⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        88⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603406.bat
        89⤵
        
        PID:6856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        90⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        90⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        90⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        90⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        89⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603437.bat
        90⤵
        
        PID:5128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        91⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        91⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        91⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        90⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603453.bat
        91⤵
        
        PID:6096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        92⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        92⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        92⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        92⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        91⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603531.bat
        92⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        93⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        93⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        93⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        92⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603546.bat
        93⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        94⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        94⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        94⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        93⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603625.bat
        94⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        95⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        95⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        95⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        94⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603671.bat
        95⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        96⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        96⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        96⤵
        Drops file in System32 directory
        
        PID:11224
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        95⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603765.bat
        96⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        97⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        97⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:11336
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        96⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603812.bat
        97⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        98⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        98⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        97⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603890.bat
        98⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        99⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        99⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        98⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603906.bat
        99⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        100⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        100⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        99⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603937.bat
        100⤵
        
        PID:8116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        101⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        101⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        100⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240603984.bat
        101⤵
        
        PID:6752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        102⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:9324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        102⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        101⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604031.bat
        102⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        103⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        103⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        102⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604078.bat
        103⤵
        
        PID:3108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        104⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        104⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        104⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        104⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        103⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604093.bat
        104⤵
        
        PID:7092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        105⤵
        Drops file in System32 directory
        
        PID:8060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        105⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        105⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        105⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        104⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604187.bat
        105⤵
        
        PID:7644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        106⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        106⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        105⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604203.bat
        106⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        107⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        107⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        107⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        106⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604250.bat
        107⤵
        
        PID:8052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        108⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        108⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        108⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        107⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604281.bat
        108⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        109⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        109⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        108⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604312.bat
        109⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        110⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        110⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        110⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        109⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604390.bat
        110⤵
        
        PID:7616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        111⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        111⤵
        Views/modifies file attributes
        
        PID:7360
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        110⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604468.bat
        111⤵
        
        PID:6580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        112⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        112⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        112⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        111⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604484.bat
        112⤵
        
        PID:7812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        113⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        113⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        112⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604531.bat
        113⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        114⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        114⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        114⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        113⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604578.bat
        114⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        115⤵
        Drops file in System32 directory
        
        PID:9608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        115⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        115⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        114⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604609.bat
        115⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        116⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        116⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        116⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        115⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604671.bat
        116⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        117⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        117⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        117⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        116⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240604953.bat
        117⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        118⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        118⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        117⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605062.bat
        118⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        119⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        119⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        118⤵
        Drops file in System32 directory
        
        PID:9024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605156.bat
        119⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        120⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        120⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        119⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605203.bat
        120⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        121⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        121⤵
        Views/modifies file attributes
        
        PID:8912
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        120⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605265.bat
        121⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        122⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        122⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        121⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605312.bat
        122⤵
        
        PID:7732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        123⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        123⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        123⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        122⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605343.bat
        123⤵
        
        PID:8320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        124⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        124⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        123⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605375.bat
        124⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        125⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        125⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        124⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605515.bat
        125⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        126⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        126⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        125⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605578.bat
        126⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        127⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        127⤵
        Views/modifies file attributes
        
        PID:11388
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        126⤵
        Drops file in System32 directory
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605640.bat
        127⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        128⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        127⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605703.bat
        128⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        129⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        129⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        128⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605765.bat
        129⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        130⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        129⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605781.bat
        130⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        131⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        130⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605859.bat
        131⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        132⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        132⤵
        Drops file in System32 directory
        
        PID:12056
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        131⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605890.bat
        132⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        133⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        132⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240605984.bat
        133⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        134⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        133⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606062.bat
        134⤵
        
        PID:10136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        135⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        134⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606109.bat
        135⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        136⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        136⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        135⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606171.bat
        136⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        137⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        136⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606390.bat
        137⤵
        
        PID:8688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        138⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        138⤵
        Views/modifies file attributes
        
        PID:10656
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        137⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606531.bat
        138⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        139⤵
        Views/modifies file attributes
        
        PID:10344
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        138⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606562.bat
        139⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        140⤵
        Drops file in System32 directory
        
        PID:8744
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        139⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606609.bat
        140⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        141⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        141⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        140⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606656.bat
        141⤵
        
        PID:8916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        142⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        141⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606718.bat
        142⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        143⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        142⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240606812.bat
        143⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        144⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        143⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607046.bat
        144⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        145⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        144⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607125.bat
        145⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        146⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        145⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607171.bat
        146⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        147⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        146⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607406.bat
        147⤵
        
        PID:7848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        148⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        147⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607500.bat
        148⤵
        
        PID:9956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        149⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        148⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607531.bat
        149⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        150⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        149⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607578.bat
        150⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        151⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        150⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607593.bat
        151⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        152⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        151⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607656.bat
        152⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        153⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        152⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607734.bat
        153⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        154⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        153⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607859.bat
        154⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        155⤵
        Views/modifies file attributes
        
        PID:10344
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        154⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240607953.bat
        155⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        156⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        155⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608015.bat
        156⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        157⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        156⤵
        Drops file in System32 directory
        
        PID:10552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608078.bat
        157⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        158⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        157⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608156.bat
        158⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        159⤵
        
        PID:11804
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        158⤵
        Drops file in System32 directory
        
        PID:10908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608187.bat
        159⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        160⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        159⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608218.bat
        160⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        161⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        160⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608250.bat
        161⤵
        
        PID:11172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        162⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        161⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608281.bat
        162⤵
        
        PID:8252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        163⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        162⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608406.bat
        163⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        164⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        163⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608468.bat
        164⤵
        
        PID:9844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        165⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        164⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608515.bat
        165⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        166⤵
        Drops file in System32 directory
        
        PID:7612
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        165⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608593.bat
        166⤵
        
        PID:10844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        166⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608656.bat
        167⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayCBDCBD1041.exe" -r -a -s -h
        168⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        167⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608718.bat
        168⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        168⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608796.bat
        169⤵
        
        PID:7048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        169⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608875.bat
        170⤵
        
        PID:9352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        170⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240608953.bat
        171⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        171⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609015.bat
        172⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        172⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609062.bat
        173⤵
        
        PID:10304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        173⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609093.bat
        174⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        174⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609156.bat
        175⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        175⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609187.bat
        176⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        176⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609281.bat
        177⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        177⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609390.bat
        178⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        178⤵
        Drops file in System32 directory
        
        PID:11316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609453.bat
        179⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        179⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609562.bat
        180⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        180⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609625.bat
        181⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        181⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609671.bat
        182⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        182⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609750.bat
        183⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        183⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240609812.bat
        184⤵
        
        PID:12224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\ayCBDCBD1041.exe
        
        C:\Windows\system32\ayCBDCBD1041.exe
        184⤵
        
        PID:12232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ayCBDCBD1041.exe

Filesize
10KB

MD5
0219170f84906e167a69ac75f6433bfb

SHA1
71092e256a6a965152cb97edf7b63f2a78891930

SHA256
9c244f8b7bbab4cf838bb621cada0de30ceb47c418774654d366821c8b09be5e

SHA512
fe185854c5f304d229953e4d7916d5f8198a4c1a179de3263240acdf01201a1ea004e30d86757c4b97caafe0d8924375cd7ebf00ea493afc764c62fc5bb6d31e

Download Submit
C:\ca69b18ee8c2240599734.bat

Filesize
188B

MD5
0f3312155135cf396aa19d19003e0e01

SHA1
e2f13247fe520126c41f13dff02ae3c578d40e37

SHA256
6ba5bcd648c655c5eb7c6c07732c2f878d2276d0c685df01d763bfc77b770ab4

SHA512
e2611c6f7b2d5d2e4cfb50291ac9ef1fddc218a97dff3546ebe4e0c8c41d358da8652c5aa42ab224b72d66ae21f576b43f24cae7fc1859442d742a649af9f273

Download Submit
\??\c:\ca69b18ee8c2240599656.bat

Filesize
332B

MD5
2e351f3559f33f284c54bf1b757f73c4

SHA1
e3b536877d4d3ad07af4d110cb64a3b7efecf2ff

SHA256
2bff2a07ecb55759de7aa9c4d399fc89b85a039ecbccb1b5e168d731bfded7d3

SHA512
b023782f45ff78ab018dac7cf24b1fd80edd39802db357a472bc6a03c95e154ee8607ad63fe14bd1b4326c0c1d32ad8d600f0da960699f5c37783b686df46ebf

Download Submit