ea001093251247bc406fe5d032e0438cc51fe377a9618155ca8a1b4423837cc9

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
Size

11KB
MD5

04a2c38185c6b778d9c6c2814289080b
SHA1

7907ce9cf9efd6f88731f44c1a13b18aefe5fe51
SHA256

ea001093251247bc406fe5d032e0438cc51fe377a9618155ca8a1b4423837cc9
SHA512

fc3992612a3604b24d33dbc25fd70955547a8f93239480d728282b188c405af7c749612d81850bbac7d42e74ebc47a14aad3832046cd8333014ca6f9437ce993
SSDEEP

192:t6WObzqloa362ImFiKhvmt3DcU51a12yR1QkB1ZUfLkgUw9Juw:tGj67FiKAH5I12ynB1yf0i

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2972	HAB_HAB_1033.exe
2736	HAB_HAB_1033.exe
2492	HAB_HAB_1033.exe
2460	HAB_HAB_1033.exe
2924	HAB_HAB_1033.exe
2524	HAB_HAB_1033.exe
2564	HAB_HAB_1033.exe
1540	HAB_HAB_1033.exe
1252	HAB_HAB_1033.exe
2324	HAB_HAB_1033.exe
264	HAB_HAB_1033.exe
1696	HAB_HAB_1033.exe
596	HAB_HAB_1033.exe
872	HAB_HAB_1033.exe
2792	HAB_HAB_1033.exe
2184	HAB_HAB_1033.exe
1712	HAB_HAB_1033.exe
2712	HAB_HAB_1033.exe
2488	HAB_HAB_1033.exe
2640	HAB_HAB_1033.exe
1520	HAB_HAB_1033.exe
1004	HAB_HAB_1033.exe
2032	HAB_HAB_1033.exe
1936	HAB_HAB_1033.exe
1644	HAB_HAB_1033.exe
1788	HAB_HAB_1033.exe
3000	HAB_HAB_1033.exe
3056	HAB_HAB_1033.exe
2028	HAB_HAB_1033.exe
2996	HAB_HAB_1033.exe
2928	HAB_HAB_1033.exe
1796	HAB_HAB_1033.exe
548	HAB_HAB_1033.exe
2484	HAB_HAB_1033.exe
1004	HAB_HAB_1033.exe
2800	HAB_HAB_1033.exe
2840	HAB_HAB_1033.exe
2652	HAB_HAB_1033.exe
1876	HAB_HAB_1033.exe
2292	HAB_HAB_1033.exe
2368	HAB_HAB_1033.exe
2688	HAB_HAB_1033.exe
864	HAB_HAB_1033.exe
876	HAB_HAB_1033.exe
2448	HAB_HAB_1033.exe
1920	HAB_HAB_1033.exe
800	HAB_HAB_1033.exe
2792	HAB_HAB_1033.exe
2712	HAB_HAB_1033.exe
864	HAB_HAB_1033.exe
2556	HAB_HAB_1033.exe
2488	HAB_HAB_1033.exe
2660	HAB_HAB_1033.exe
2652	HAB_HAB_1033.exe
2952	HAB_HAB_1033.exe
1992	HAB_HAB_1033.exe
800	HAB_HAB_1033.exe
2840	HAB_HAB_1033.exe
2388	HAB_HAB_1033.exe
2888	HAB_HAB_1033.exe
820	HAB_HAB_1033.exe
1172	HAB_HAB_1033.exe
2428	HAB_HAB_1033.exe
1548	HAB_HAB_1033.exe

Loads dropped DLL 64 IoCs

pid	Process
2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
2972	HAB_HAB_1033.exe
2972	HAB_HAB_1033.exe
2736	HAB_HAB_1033.exe
2736	HAB_HAB_1033.exe
2492	HAB_HAB_1033.exe
2492	HAB_HAB_1033.exe
2460	HAB_HAB_1033.exe
2460	HAB_HAB_1033.exe
2924	HAB_HAB_1033.exe
2924	HAB_HAB_1033.exe
2524	HAB_HAB_1033.exe
2524	HAB_HAB_1033.exe
2564	HAB_HAB_1033.exe
2564	HAB_HAB_1033.exe
1540	HAB_HAB_1033.exe
1540	HAB_HAB_1033.exe
1252	HAB_HAB_1033.exe
1252	HAB_HAB_1033.exe
2324	HAB_HAB_1033.exe
264	HAB_HAB_1033.exe
264	HAB_HAB_1033.exe
1696	HAB_HAB_1033.exe
1696	HAB_HAB_1033.exe
596	HAB_HAB_1033.exe
596	HAB_HAB_1033.exe
872	HAB_HAB_1033.exe
872	HAB_HAB_1033.exe
2792	HAB_HAB_1033.exe
2792	HAB_HAB_1033.exe
2184	HAB_HAB_1033.exe
2184	HAB_HAB_1033.exe
1712	HAB_HAB_1033.exe
1712	HAB_HAB_1033.exe
2712	HAB_HAB_1033.exe
2712	HAB_HAB_1033.exe
2488	HAB_HAB_1033.exe
2488	HAB_HAB_1033.exe
2640	HAB_HAB_1033.exe
2640	HAB_HAB_1033.exe
1520	HAB_HAB_1033.exe
1520	HAB_HAB_1033.exe
1004	HAB_HAB_1033.exe
1004	HAB_HAB_1033.exe
2032	HAB_HAB_1033.exe
2032	HAB_HAB_1033.exe
1936	HAB_HAB_1033.exe
1936	HAB_HAB_1033.exe
1644	HAB_HAB_1033.exe
1644	HAB_HAB_1033.exe
1788	HAB_HAB_1033.exe
1788	HAB_HAB_1033.exe
3000	HAB_HAB_1033.exe
3000	HAB_HAB_1033.exe
3056	HAB_HAB_1033.exe
3056	HAB_HAB_1033.exe
2028	HAB_HAB_1033.exe
2996	HAB_HAB_1033.exe
2996	HAB_HAB_1033.exe
2928	HAB_HAB_1033.exe
2928	HAB_HAB_1033.exe
1796	HAB_HAB_1033.exe
1796	HAB_HAB_1033.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3060	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3060	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3060	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	28
PID 2392 wrote to memory of 3060	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	28
PID 2392 wrote to memory of 2972	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2972	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2972	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	29
PID 2392 wrote to memory of 2972	2392	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2620	2972	HAB_HAB_1033.exe	31
PID 2972 wrote to memory of 2620	2972	HAB_HAB_1033.exe	31
PID 2972 wrote to memory of 2620	2972	HAB_HAB_1033.exe	31
PID 2972 wrote to memory of 2620	2972	HAB_HAB_1033.exe	31
PID 2972 wrote to memory of 2736	2972	HAB_HAB_1033.exe	32
PID 2972 wrote to memory of 2736	2972	HAB_HAB_1033.exe	32
PID 2972 wrote to memory of 2736	2972	HAB_HAB_1033.exe	32
PID 2972 wrote to memory of 2736	2972	HAB_HAB_1033.exe	32
PID 2736 wrote to memory of 1904	2736	HAB_HAB_1033.exe	34
PID 2736 wrote to memory of 1904	2736	HAB_HAB_1033.exe	34
PID 2736 wrote to memory of 1904	2736	HAB_HAB_1033.exe	34
PID 2736 wrote to memory of 1904	2736	HAB_HAB_1033.exe	34
PID 2736 wrote to memory of 2492	2736	HAB_HAB_1033.exe	35
PID 2736 wrote to memory of 2492	2736	HAB_HAB_1033.exe	35
PID 2736 wrote to memory of 2492	2736	HAB_HAB_1033.exe	35
PID 2736 wrote to memory of 2492	2736	HAB_HAB_1033.exe	35
PID 3060 wrote to memory of 2712	3060	cmd.exe	37
PID 3060 wrote to memory of 2712	3060	cmd.exe	37
PID 3060 wrote to memory of 2712	3060	cmd.exe	37
PID 3060 wrote to memory of 2712	3060	cmd.exe	37
PID 2492 wrote to memory of 2520	2492	HAB_HAB_1033.exe	38
PID 2492 wrote to memory of 2520	2492	HAB_HAB_1033.exe	38
PID 2492 wrote to memory of 2520	2492	HAB_HAB_1033.exe	38
PID 2492 wrote to memory of 2520	2492	HAB_HAB_1033.exe	38
PID 2492 wrote to memory of 2460	2492	HAB_HAB_1033.exe	39
PID 2492 wrote to memory of 2460	2492	HAB_HAB_1033.exe	39
PID 2492 wrote to memory of 2460	2492	HAB_HAB_1033.exe	39
PID 2492 wrote to memory of 2460	2492	HAB_HAB_1033.exe	39
PID 2460 wrote to memory of 2284	2460	HAB_HAB_1033.exe	41
PID 2460 wrote to memory of 2284	2460	HAB_HAB_1033.exe	41
PID 2460 wrote to memory of 2284	2460	HAB_HAB_1033.exe	41
PID 2460 wrote to memory of 2284	2460	HAB_HAB_1033.exe	41
PID 1904 wrote to memory of 1620	1904	cmd.exe	42
PID 1904 wrote to memory of 1620	1904	cmd.exe	42
PID 1904 wrote to memory of 1620	1904	cmd.exe	42
PID 1904 wrote to memory of 1620	1904	cmd.exe	42
PID 2460 wrote to memory of 2924	2460	HAB_HAB_1033.exe	43
PID 2460 wrote to memory of 2924	2460	HAB_HAB_1033.exe	43
PID 2460 wrote to memory of 2924	2460	HAB_HAB_1033.exe	43
PID 2460 wrote to memory of 2924	2460	HAB_HAB_1033.exe	43
PID 2620 wrote to memory of 1484	2620	cmd.exe	44
PID 2620 wrote to memory of 1484	2620	cmd.exe	44
PID 2620 wrote to memory of 1484	2620	cmd.exe	44
PID 2620 wrote to memory of 1484	2620	cmd.exe	44
PID 2924 wrote to memory of 1224	2924	HAB_HAB_1033.exe	46
PID 2924 wrote to memory of 1224	2924	HAB_HAB_1033.exe	46
PID 2924 wrote to memory of 1224	2924	HAB_HAB_1033.exe	46
PID 2924 wrote to memory of 1224	2924	HAB_HAB_1033.exe	46
PID 2924 wrote to memory of 2524	2924	HAB_HAB_1033.exe	47
PID 2924 wrote to memory of 2524	2924	HAB_HAB_1033.exe	47
PID 2924 wrote to memory of 2524	2924	HAB_HAB_1033.exe	47
PID 2924 wrote to memory of 2524	2924	HAB_HAB_1033.exe	47
PID 2524 wrote to memory of 2264	2524	HAB_HAB_1033.exe	49
PID 2524 wrote to memory of 2264	2524	HAB_HAB_1033.exe	49
PID 2524 wrote to memory of 2264	2524	HAB_HAB_1033.exe	49
PID 2524 wrote to memory of 2264	2524	HAB_HAB_1033.exe	49

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3856	attrib.exe
11952	Process not Found
13696	Process not Found
13604	Process not Found
6604	Process not Found
14048	Process not Found
16180	Process not Found
4284	Process not Found
13812	Process not Found
13780	Process not Found
11128	Process not Found
11952	Process not Found
13112	Process not Found
10812	Process not Found
12600	Process not Found
14008	Process not Found
12564	Process not Found
13348	Process not Found
13608	Process not Found
15884	Process not Found
13148	Process not Found
13068	Process not Found
5888	Process not Found
4804	attrib.exe
3488	attrib.exe
13544	Process not Found
14752	Process not Found
15732	Process not Found
12900	Process not Found
14044	Process not Found
13908	Process not Found
7352	Process not Found
1568	attrib.exe
4800	attrib.exe
4336	Process not Found
12000	Process not Found
16132	Process not Found
14704	Process not Found
8616	Process not Found
16060	Process not Found
3860	Process not Found
7640	Process not Found
14312	Process not Found
14416	Process not Found
15676	Process not Found
15832	Process not Found
4792	Process not Found
14756	Process not Found
13960	Process not Found
14432	Process not Found
13464	Process not Found
6440	Process not Found
13736	Process not Found
8288	Process not Found
8604	Process not Found
3676	Process not Found
13740	Process not Found
7896	Process not Found
4656	Process not Found
15048	Process not Found
3916	Process not Found
10868	Process not Found
14248	Process not Found
7272	Process not Found

C:\Users\Admin\AppData\Local\Temp\04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\c7417df98544259395545.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2712
- C:\Windows\SysWOW64\HAB_HAB_1033.exe
  C:\Windows\system32\HAB_HAB_1033.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\c7417df98544259395623.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:3240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:3088
- - C:\Windows\SysWOW64\HAB_HAB_1033.exe
    C:\Windows\system32\HAB_HAB_1033.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\c7417df98544259395638.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:940
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:264
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:3916
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:3720
  - - C:\Windows\SysWOW64\HAB_HAB_1033.exe
      C:\Windows\system32\HAB_HAB_1033.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395670.bat
        5⤵
        
        PID:2520
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:1548
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:908
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:800
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:2756
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:2316
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:1348
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:2792
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:3652
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:3736
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:4584
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2460
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395701.bat
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:3936
      - C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395716.bat
        7⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395732.bat
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395763.bat
        9⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395779.bat
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395810.bat
        11⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        Views/modifies file attributes
        
        PID:1568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259395841.bat
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396075.bat
        13⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396231.bat
        14⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396262.bat
        15⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396294.bat
        16⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396309.bat
        17⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396325.bat
        18⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396356.bat
        19⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396372.bat
        20⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396403.bat
        21⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396418.bat
        22⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396434.bat
        23⤵
        
        PID:752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396465.bat
        24⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396481.bat
        25⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396496.bat
        26⤵
        
        PID:520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396512.bat
        27⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396528.bat
        28⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396543.bat
        29⤵
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259396840.bat
        30⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259397058.bat
        31⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259397401.bat
        32⤵
        
        PID:832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259397713.bat
        33⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259397807.bat
        34⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        34⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398150.bat
        35⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        35⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398322.bat
        36⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        36⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398618.bat
        37⤵
        
        PID:412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        37⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398634.bat
        38⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        Views/modifies file attributes
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        38⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398649.bat
        39⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:980
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        39⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398665.bat
        40⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        40⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398680.bat
        41⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        41⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398696.bat
        42⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:892
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        42⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398712.bat
        43⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:308
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        43⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398727.bat
        44⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        44⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398743.bat
        45⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        45⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398758.bat
        46⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        46⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398774.bat
        47⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        47⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398774.bat
        48⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:480
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        48⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398790.bat
        49⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        49⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398821.bat
        50⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        50⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398836.bat
        51⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        51⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398868.bat
        52⤵
        
        PID:860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        52⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398883.bat
        53⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        53⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398899.bat
        54⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        54⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398930.bat
        55⤵
        
        PID:864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        55⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398946.bat
        56⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        56⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398961.bat
        57⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        57⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398961.bat
        58⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259398992.bat
        59⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        59⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399008.bat
        60⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        60⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399039.bat
        61⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        61⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399055.bat
        62⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        Views/modifies file attributes
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        62⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399070.bat
        63⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        63⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399086.bat
        64⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        64⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399117.bat
        65⤵
        
        PID:820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        65⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399133.bat
        66⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        66⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399148.bat
        67⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        67⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399180.bat
        68⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        68⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399195.bat
        69⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        69⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399211.bat
        70⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        70⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399226.bat
        71⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        71⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399258.bat
        72⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        72⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399273.bat
        73⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        73⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399289.bat
        74⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        74⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399320.bat
        75⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        75⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399336.bat
        76⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        76⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399351.bat
        77⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        77⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399367.bat
        78⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        78⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399382.bat
        79⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        79⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399398.bat
        80⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        80⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399414.bat
        81⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        81⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399429.bat
        82⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        82⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399460.bat
        83⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        83⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399476.bat
        84⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        84⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399492.bat
        85⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        85⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399507.bat
        86⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        86⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399523.bat
        87⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        87⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399538.bat
        88⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        88⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399554.bat
        89⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        89⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399585.bat
        90⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        90⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399601.bat
        91⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        91⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399632.bat
        92⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:868
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        92⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399648.bat
        93⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        93⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399663.bat
        94⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        94⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399694.bat
        95⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        95⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399710.bat
        96⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        96⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399726.bat
        97⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        98⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        98⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        98⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        98⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        97⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399757.bat
        98⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        98⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399757.bat
        99⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        100⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        100⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        100⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        100⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        99⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399772.bat
        100⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        100⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399788.bat
        101⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        101⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399819.bat
        102⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        102⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399835.bat
        103⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        Views/modifies file attributes
        
        PID:4800
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        103⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399850.bat
        104⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        104⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399866.bat
        105⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        105⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399882.bat
        106⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        Views/modifies file attributes
        
        PID:4804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        106⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399913.bat
        107⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        108⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        108⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        108⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        108⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        107⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399928.bat
        108⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        108⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399944.bat
        109⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        109⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399975.bat
        110⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        111⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        111⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        111⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        111⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        110⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259399991.bat
        111⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        111⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400006.bat
        112⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        112⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400022.bat
        113⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:572
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        113⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400053.bat
        114⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        115⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        115⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        115⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        115⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        114⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400053.bat
        115⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        116⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        116⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        116⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        116⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        115⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400069.bat
        116⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        117⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        117⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        117⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        117⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        116⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400084.bat
        117⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        118⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        118⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        118⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        118⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        117⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400100.bat
        118⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        118⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400116.bat
        119⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        120⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        120⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        120⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        120⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        119⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400116.bat
        120⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        120⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400131.bat
        121⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        121⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400147.bat
        122⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        123⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        123⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        123⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        123⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        122⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400162.bat
        123⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        124⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        124⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        124⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        124⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        123⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400194.bat
        124⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        125⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        125⤵
        
        PID:308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        125⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        125⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        124⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400209.bat
        125⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        126⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        126⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        126⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        126⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        125⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400225.bat
        126⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        127⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        127⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        127⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        127⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        126⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400240.bat
        127⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        128⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        128⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        128⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        128⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        127⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259400256.bat
        128⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        129⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        129⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        129⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        129⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        128⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\c7417df98544259402534.bat
        129⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        130⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        130⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        130⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        129⤵
        
        PID:3888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1115085989812354515-1890059419-592870784947298586-575698472795270120-815629695"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1838927689-948834096-45848259328436030759901621694348951278543649-749894695"
1⤵
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13025576651828115581911821902-1627206708-352598727-428725579555644180990826998"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "786227522111598535114639042531444520660-178493520-741990768-2138229759332503773"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1798622265399970274-2948690161964716472-902281505-11036002281858752909-74682194"
1⤵
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1043680670-505840106-29665703112560462951363890370526118990759670230149702098"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "834609421405262425-1975756621-748916907-1605843684-14126977132657965951895891586"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1792590282-16600664813841563131780944281083291505-1879961119-440447241-185376596"
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-548263102-343517866-2073242735-594648448-20414438001226358349-1221946339223878564"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "80103601594945853-307695586808146607-20201805951301643308723295502-1538782839"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2009077653-1850313771-20626297692139784602-395710651-848261477930617456734684895"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "782998777-1159315453156351998-72114937710150369161126200876-1114348884-1571282868"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1957353562-74079609795495162013764021-1630304461748463931526575791-787151489"
1⤵
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1997885197-10592833751844383340381267703-16938286691968165291568921019122968378"
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "647620132780832038-5763574761108416033-1446933380185282654620375785471709906407"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "188629300669557943-17245119611492469984-1913230109-836003524997165387-1965877577"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2137686421647529047-113443988320287934642774316751494477478-217762079719065526"
1⤵
PID:548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "109099794-4634500141882370348-1774884906-1138943507-11411025781847795642-854631917"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1736142178-371324757-336869448-324885785-324863785-182063326609420406925806217"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-177671356-541587135-1264371272-533409744-17662348271712560875-13141501901459847830"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-196029561-1247100108-1743112797274699153-2106695278-9887367051018452519939503443"
1⤵
PID:264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2391438912753410541295582973-1997802438-238869796-752432301896517264-111108917"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "172380835-1301409042-197160685483271912-17204662211670388142-242106854946486612"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1837582890-663515656-14198311431396680818332252234-1238801618-1999176951-769449788"
1⤵
PID:3556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1968831941-1968953121-299523935-3667423351430873739-283545658-1656802504-545461020"
1⤵
PID:3908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-51737149-240866248-4097610292269485431194771026796318487-900226587-1485704264"
1⤵
PID:3212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1694043511-11824529867019977011459554005208080103-1129765786-1403849372-1620958513"
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20488995245209103441310812344-1317848286-9598583561060657603-13743115248491679"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "505993288301393529-1949129542-2415627332040416029-1761018655608387596-610320658"
1⤵
PID:5004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1941888833-1742872307-2068387458-8169226115391280104668557159148091421785712398"
1⤵
PID:4164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1085758683-6552664581255043202-1194350793-705542231172790877820295686971511703452"
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\c7417df98544259395545.bat

Filesize
332B

MD5
e0ed04e87e9472de73edc5ad269722c8

SHA1
3d4398349b6d8acfeaeec9dd6307fe5bc14d029d

SHA256
736ece2743f6f90ef91ff63d1c5b94eeeae263145915721ac7c4c548d0c7c388

SHA512
ac81a5d3373d333227d130fb01061246cdfe0a3396232c08ce993a7eaaf628fba4a541ca5da22224ca21a78f91b13c966f8222a0457f4fba6e8a86f777b48e56

Download Submit
C:\c7417df98544259395623.bat

Filesize
188B

MD5
1aaca4473e35e4cc0c3b3d6dcbe27315

SHA1
1787bfcba82afabdf1d0d570a09519ab131cdf7c

SHA256
93d33317d9b4827189fde54a5f64aa8cb0a60106acf2206a0c09a6e280dd04dd

SHA512
4bd06f1f2a49fa179a84f3be9df03f269733acf1f5df38c2189d4429ad62e9e20e6cdd02174c59555e126754de355cc161c808caf4931ceba16d2cbf4b415296

Download Submit
\Windows\SysWOW64\HAB_HAB_1033.exe

Filesize
11KB

MD5
04a2c38185c6b778d9c6c2814289080b

SHA1
7907ce9cf9efd6f88731f44c1a13b18aefe5fe51

SHA256
ea001093251247bc406fe5d032e0438cc51fe377a9618155ca8a1b4423837cc9

SHA512
fc3992612a3604b24d33dbc25fd70955547a8f93239480d728282b188c405af7c749612d81850bbac7d42e74ebc47a14aad3832046cd8333014ca6f9437ce993

Download Submit