ea001093251247bc406fe5d032e0438cc51fe377a9618155ca8a1b4423837cc9

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
Size

11KB
MD5

04a2c38185c6b778d9c6c2814289080b
SHA1

7907ce9cf9efd6f88731f44c1a13b18aefe5fe51
SHA256

ea001093251247bc406fe5d032e0438cc51fe377a9618155ca8a1b4423837cc9
SHA512

fc3992612a3604b24d33dbc25fd70955547a8f93239480d728282b188c405af7c749612d81850bbac7d42e74ebc47a14aad3832046cd8333014ca6f9437ce993
SSDEEP

192:t6WObzqloa362ImFiKhvmt3DcU51a12yR1QkB1ZUfLkgUw9Juw:tGj67FiKAH5I12ynB1yf0i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1692	HAB_HAB_1033.exe
4856	HAB_HAB_1033.exe
2800	HAB_HAB_1033.exe
3496	HAB_HAB_1033.exe
1856	HAB_HAB_1033.exe
4752	HAB_HAB_1033.exe
4468	HAB_HAB_1033.exe
1680	HAB_HAB_1033.exe
3200	HAB_HAB_1033.exe
3568	HAB_HAB_1033.exe
2400	HAB_HAB_1033.exe
2084	HAB_HAB_1033.exe
4896	HAB_HAB_1033.exe
1448	HAB_HAB_1033.exe
2316	HAB_HAB_1033.exe
1704	HAB_HAB_1033.exe
1648	HAB_HAB_1033.exe
3596	HAB_HAB_1033.exe
4120	HAB_HAB_1033.exe
2556	HAB_HAB_1033.exe
1532	HAB_HAB_1033.exe
392	HAB_HAB_1033.exe
4596	HAB_HAB_1033.exe
2816	HAB_HAB_1033.exe
2692	HAB_HAB_1033.exe
4808	HAB_HAB_1033.exe
1076	HAB_HAB_1033.exe
1012	HAB_HAB_1033.exe
5012	HAB_HAB_1033.exe
884	HAB_HAB_1033.exe
948	HAB_HAB_1033.exe
4288	HAB_HAB_1033.exe
2972	HAB_HAB_1033.exe
3380	HAB_HAB_1033.exe
696	HAB_HAB_1033.exe
932	HAB_HAB_1033.exe
1996	HAB_HAB_1033.exe
916	HAB_HAB_1033.exe
1648	HAB_HAB_1033.exe
4464	HAB_HAB_1033.exe
2240	HAB_HAB_1033.exe
2556	HAB_HAB_1033.exe
916	HAB_HAB_1033.exe
5216	HAB_HAB_1033.exe
5348	HAB_HAB_1033.exe
5444	HAB_HAB_1033.exe
5548	HAB_HAB_1033.exe
5608	HAB_HAB_1033.exe
5716	HAB_HAB_1033.exe
5768	HAB_HAB_1033.exe
5816	HAB_HAB_1033.exe
5892	HAB_HAB_1033.exe
5960	HAB_HAB_1033.exe
6028	HAB_HAB_1033.exe
2656	HAB_HAB_1033.exe
5140	HAB_HAB_1033.exe
5396	HAB_HAB_1033.exe
5444	HAB_HAB_1033.exe
5456	HAB_HAB_1033.exe
5504	HAB_HAB_1033.exe
5960	HAB_HAB_1033.exe
6128	HAB_HAB_1033.exe
5392	HAB_HAB_1033.exe
2848	HAB_HAB_1033.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	HAB_HAB_1033.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\HAB_HAB_1033.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1816	4808	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	83
PID 4808 wrote to memory of 1816	4808	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	83
PID 4808 wrote to memory of 1816	4808	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	83
PID 4808 wrote to memory of 1692	4808	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	84
PID 4808 wrote to memory of 1692	4808	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	84
PID 4808 wrote to memory of 1692	4808	04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe	84
PID 1692 wrote to memory of 3272	1692	HAB_HAB_1033.exe	86
PID 1692 wrote to memory of 3272	1692	HAB_HAB_1033.exe	86
PID 1692 wrote to memory of 3272	1692	HAB_HAB_1033.exe	86
PID 1692 wrote to memory of 4856	1692	HAB_HAB_1033.exe	87
PID 1692 wrote to memory of 4856	1692	HAB_HAB_1033.exe	87
PID 1692 wrote to memory of 4856	1692	HAB_HAB_1033.exe	87
PID 4856 wrote to memory of 4956	4856	HAB_HAB_1033.exe	89
PID 4856 wrote to memory of 4956	4856	HAB_HAB_1033.exe	89
PID 4856 wrote to memory of 4956	4856	HAB_HAB_1033.exe	89
PID 4856 wrote to memory of 2800	4856	HAB_HAB_1033.exe	90
PID 4856 wrote to memory of 2800	4856	HAB_HAB_1033.exe	90
PID 4856 wrote to memory of 2800	4856	HAB_HAB_1033.exe	90
PID 2800 wrote to memory of 3816	2800	HAB_HAB_1033.exe	92
PID 2800 wrote to memory of 3816	2800	HAB_HAB_1033.exe	92
PID 2800 wrote to memory of 3816	2800	HAB_HAB_1033.exe	92
PID 2800 wrote to memory of 3496	2800	HAB_HAB_1033.exe	93
PID 2800 wrote to memory of 3496	2800	HAB_HAB_1033.exe	93
PID 2800 wrote to memory of 3496	2800	HAB_HAB_1033.exe	93
PID 3496 wrote to memory of 1224	3496	HAB_HAB_1033.exe	94
PID 3496 wrote to memory of 1224	3496	HAB_HAB_1033.exe	94
PID 3496 wrote to memory of 1224	3496	HAB_HAB_1033.exe	94
PID 3496 wrote to memory of 1856	3496	HAB_HAB_1033.exe	96
PID 3496 wrote to memory of 1856	3496	HAB_HAB_1033.exe	96
PID 3496 wrote to memory of 1856	3496	HAB_HAB_1033.exe	96
PID 1856 wrote to memory of 4600	1856	HAB_HAB_1033.exe	97
PID 1856 wrote to memory of 4600	1856	HAB_HAB_1033.exe	97
PID 1856 wrote to memory of 4600	1856	HAB_HAB_1033.exe	97
PID 1856 wrote to memory of 4752	1856	HAB_HAB_1033.exe	98
PID 1856 wrote to memory of 4752	1856	HAB_HAB_1033.exe	98
PID 1856 wrote to memory of 4752	1856	HAB_HAB_1033.exe	98
PID 4752 wrote to memory of 900	4752	HAB_HAB_1033.exe	101
PID 4752 wrote to memory of 900	4752	HAB_HAB_1033.exe	101
PID 4752 wrote to memory of 900	4752	HAB_HAB_1033.exe	101
PID 4752 wrote to memory of 4468	4752	HAB_HAB_1033.exe	102
PID 4752 wrote to memory of 4468	4752	HAB_HAB_1033.exe	102
PID 4752 wrote to memory of 4468	4752	HAB_HAB_1033.exe	102
PID 4468 wrote to memory of 3628	4468	HAB_HAB_1033.exe	103
PID 4468 wrote to memory of 3628	4468	HAB_HAB_1033.exe	103
PID 4468 wrote to memory of 3628	4468	HAB_HAB_1033.exe	103
PID 4468 wrote to memory of 1680	4468	HAB_HAB_1033.exe	466
PID 4468 wrote to memory of 1680	4468	HAB_HAB_1033.exe	466
PID 4468 wrote to memory of 1680	4468	HAB_HAB_1033.exe	466
PID 1680 wrote to memory of 4040	1680	HAB_HAB_1033.exe	107
PID 1680 wrote to memory of 4040	1680	HAB_HAB_1033.exe	107
PID 1680 wrote to memory of 4040	1680	HAB_HAB_1033.exe	107
PID 1680 wrote to memory of 3200	1680	HAB_HAB_1033.exe	108
PID 1680 wrote to memory of 3200	1680	HAB_HAB_1033.exe	108
PID 1680 wrote to memory of 3200	1680	HAB_HAB_1033.exe	108
PID 3200 wrote to memory of 3220	3200	HAB_HAB_1033.exe	110
PID 3200 wrote to memory of 3220	3200	HAB_HAB_1033.exe	110
PID 3200 wrote to memory of 3220	3200	HAB_HAB_1033.exe	110
PID 3200 wrote to memory of 3568	3200	HAB_HAB_1033.exe	111
PID 3200 wrote to memory of 3568	3200	HAB_HAB_1033.exe	111
PID 3200 wrote to memory of 3568	3200	HAB_HAB_1033.exe	111
PID 4956 wrote to memory of 1384	4956	cmd.exe	112
PID 4956 wrote to memory of 1384	4956	cmd.exe	112
PID 4956 wrote to memory of 1384	4956	cmd.exe	112
PID 3568 wrote to memory of 3920	3568	HAB_HAB_1033.exe	114

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
11956	attrib.exe
11616	Process not Found
12084	Process not Found
10996	attrib.exe
13020	Process not Found
11908	Process not Found
9828	attrib.exe
13076	Process not Found
13928	Process not Found
11484	attrib.exe
13320	Process not Found
6908	attrib.exe
12420	Process not Found
12672	Process not Found
6984	attrib.exe
9168	attrib.exe
11928	attrib.exe
10164	attrib.exe
7340	attrib.exe
9608	attrib.exe
11236	attrib.exe
9660	Process not Found
11928	Process not Found
12972	Process not Found
7584	attrib.exe
12084	attrib.exe
12036	attrib.exe
11788	Process not Found
3028	attrib.exe
9404	attrib.exe
11612	attrib.exe
11952	Process not Found
7004	attrib.exe
8576	attrib.exe
12524	Process not Found
12460	Process not Found
14048	Process not Found
12248	Process not Found
13212	Process not Found
12904	Process not Found
8296	attrib.exe
12928	Process not Found
11240	Process not Found
12568	Process not Found
6052	attrib.exe
6904	attrib.exe
9400	attrib.exe
9364	attrib.exe
12060	attrib.exe
12344	Process not Found
5016	attrib.exe
5496	attrib.exe
8780	attrib.exe
10100	attrib.exe
7236	attrib.exe
9156	attrib.exe
11528	attrib.exe
11860	Process not Found
6388	attrib.exe
14208	Process not Found
9068	Process not Found
13460	Process not Found
12592	Process not Found
5356	attrib.exe

C:\Users\Admin\AppData\Local\Temp\04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\c7417df98544240601515.bat
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\04a2c38185c6b778d9c6c2814289080b_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2864
- C:\Windows\SysWOW64\HAB_HAB_1033.exe
  C:\Windows\system32\HAB_HAB_1033.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\c7417df98544240601546.bat
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:4464
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:6776
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:8144
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:9824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
      4⤵
      PID:9168
- - C:\Windows\SysWOW64\HAB_HAB_1033.exe
    C:\Windows\system32\HAB_HAB_1033.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\c7417df98544240601562.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:1384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:3632
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:5360
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:6660
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:6012
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:8656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:6012
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:9408
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:9348
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:10808
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:10272
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:12084
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        5⤵
        
        PID:11800
  - - C:\Windows\SysWOW64\HAB_HAB_1033.exe
      C:\Windows\system32\HAB_HAB_1033.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601578.bat
        5⤵
        
        PID:3816
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:3576
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:1680
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:5356
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:6828
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:8732
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        
        PID:10068
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:10004
    - - C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601609.bat
        6⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        7⤵
        
        PID:9068
      - C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601640.bat
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:7584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        8⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601656.bat
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        9⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601703.bat
        9⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        10⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601765.bat
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        11⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601843.bat
        11⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        12⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601875.bat
        12⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        13⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        12⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601937.bat
        13⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:7340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:11236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        14⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        13⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240601968.bat
        14⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        Drops file in System32 directory
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        15⤵
        Views/modifies file attributes
        
        PID:12060
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        14⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602000.bat
        15⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:7560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        16⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        15⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602078.bat
        16⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        17⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602109.bat
        17⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        Views/modifies file attributes
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        18⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        17⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602125.bat
        18⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        19⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        18⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602140.bat
        19⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        20⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602171.bat
        20⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        21⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        20⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602203.bat
        21⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        Views/modifies file attributes
        
        PID:5016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        22⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        21⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602250.bat
        22⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        23⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        22⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602265.bat
        23⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        Views/modifies file attributes
        
        PID:6908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        24⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        23⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602296.bat
        24⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        25⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        24⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602343.bat
        25⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        26⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        25⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602375.bat
        26⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        27⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        26⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602390.bat
        27⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        28⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        27⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602437.bat
        28⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        29⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        28⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602500.bat
        29⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        29⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602562.bat
        30⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        31⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        30⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602640.bat
        31⤵
        
        PID:3872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        32⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        31⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602671.bat
        32⤵
        
        PID:708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        33⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        32⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602703.bat
        33⤵
        
        PID:212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        34⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        33⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602765.bat
        34⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        35⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        34⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602828.bat
        35⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        36⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        35⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602875.bat
        36⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        37⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        36⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602906.bat
        37⤵
        
        PID:5012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        38⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        37⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602953.bat
        38⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        39⤵
        Drops file in System32 directory
        
        PID:11564
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        38⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240602984.bat
        39⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        40⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603000.bat
        40⤵
        
        PID:60
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        41⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        40⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603062.bat
        41⤵
        
        PID:696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        42⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        41⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603078.bat
        42⤵
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        Views/modifies file attributes
        
        PID:6904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        Views/modifies file attributes
        
        PID:9400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        43⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        42⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603125.bat
        43⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        44⤵
        Views/modifies file attributes
        
        PID:9168
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        43⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603140.bat
        44⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        45⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        44⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603187.bat
        45⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:9156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        46⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        45⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603250.bat
        46⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        47⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        46⤵
        Executes dropped EXE
        
        PID:5348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603296.bat
        47⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        48⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        47⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603343.bat
        48⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        49⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        48⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603359.bat
        49⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        50⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        49⤵
        Executes dropped EXE
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603406.bat
        50⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        51⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        50⤵
        Executes dropped EXE
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603437.bat
        51⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        Views/modifies file attributes
        
        PID:10164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        52⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        51⤵
        Executes dropped EXE
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603468.bat
        52⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        53⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        52⤵
        Executes dropped EXE
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603484.bat
        53⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        54⤵
        Views/modifies file attributes
        
        PID:11928
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        53⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603515.bat
        54⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        Views/modifies file attributes
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        55⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        54⤵
        Executes dropped EXE
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603546.bat
        55⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        Drops file in System32 directory
        
        PID:8340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        56⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603578.bat
        56⤵
        
        PID:6136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        57⤵
        Views/modifies file attributes
        
        PID:10996
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        56⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603609.bat
        57⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        58⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        57⤵
        Executes dropped EXE
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603687.bat
        58⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        59⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        58⤵
        Executes dropped EXE
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603734.bat
        59⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        60⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        59⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603765.bat
        60⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        61⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        60⤵
        Executes dropped EXE
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603796.bat
        61⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        62⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        61⤵
        Executes dropped EXE
        
        PID:5504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603843.bat
        62⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        63⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        62⤵
        Executes dropped EXE
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603890.bat
        63⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        64⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        63⤵
        Executes dropped EXE
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240603921.bat
        64⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        65⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        64⤵
        Executes dropped EXE
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604000.bat
        65⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        Drops file in System32 directory
        
        PID:9192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        66⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        65⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604031.bat
        66⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        67⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        66⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604093.bat
        67⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        68⤵
        Drops file in System32 directory
        
        PID:9672
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        67⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604140.bat
        68⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        Views/modifies file attributes
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        69⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        68⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604171.bat
        69⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        70⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        69⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604234.bat
        70⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        Drops file in System32 directory
        
        PID:8588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        71⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        70⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604281.bat
        71⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        72⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        71⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604312.bat
        72⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        73⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        72⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604328.bat
        73⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        Drops file in System32 directory
        
        PID:7776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        Drops file in System32 directory
        
        PID:9100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:9364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        74⤵
        Drops file in System32 directory
        
        PID:10988
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        73⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604375.bat
        74⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        75⤵
        Views/modifies file attributes
        
        PID:11528
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        74⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604406.bat
        75⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        Views/modifies file attributes
        
        PID:9608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        76⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        75⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604421.bat
        76⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        77⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        76⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604484.bat
        77⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        Views/modifies file attributes
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        78⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        77⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604546.bat
        78⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        Views/modifies file attributes
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        79⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        78⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604609.bat
        79⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        Drops file in System32 directory
        
        PID:9604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        80⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        79⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604656.bat
        80⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        Views/modifies file attributes
        
        PID:8576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        81⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        80⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604734.bat
        81⤵
        
        PID:3416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        82⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        81⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604812.bat
        82⤵
        
        PID:6724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        Drops file in System32 directory
        
        PID:9160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        83⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        82⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604812.bat
        83⤵
        
        PID:6704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        84⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        83⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604828.bat
        84⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        85⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        84⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604875.bat
        85⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        Views/modifies file attributes
        
        PID:9828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        86⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        85⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240604953.bat
        86⤵
        
        PID:7164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        87⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        86⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605000.bat
        87⤵
        
        PID:6748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        88⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        87⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605046.bat
        88⤵
        
        PID:6880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        89⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        88⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605109.bat
        89⤵
        
        PID:5996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        90⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        89⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605140.bat
        90⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        91⤵
        Drops file in System32 directory
        
        PID:9784
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        90⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605187.bat
        91⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        92⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        91⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605203.bat
        92⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        93⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        92⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605250.bat
        93⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        94⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        93⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605281.bat
        94⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        Drops file in System32 directory
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        95⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        94⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605312.bat
        95⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        96⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        95⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605375.bat
        96⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        97⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        96⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605406.bat
        97⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        98⤵
        Views/modifies file attributes
        
        PID:8296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        98⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        97⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605437.bat
        98⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        99⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        98⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605468.bat
        99⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        100⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        100⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        99⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605546.bat
        100⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        101⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        100⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605578.bat
        101⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        102⤵
        Views/modifies file attributes
        
        PID:11956
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        101⤵
        Drops file in System32 directory
        
        PID:8188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605656.bat
        102⤵
        
        PID:5660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        103⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        102⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605703.bat
        103⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        104⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        103⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605718.bat
        104⤵
        
        PID:7724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        105⤵
        Views/modifies file attributes
        
        PID:12036
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        104⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605734.bat
        105⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        106⤵
        
        PID:11492
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        105⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605781.bat
        106⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        107⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        106⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605812.bat
        107⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        108⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        108⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        107⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240605937.bat
        108⤵
        
        PID:6244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        Views/modifies file attributes
        
        PID:7236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        109⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        108⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606000.bat
        109⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        110⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        109⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606046.bat
        110⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        111⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        111⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        110⤵
        Drops file in System32 directory
        
        PID:7316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606125.bat
        111⤵
        
        PID:7352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        112⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        111⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606171.bat
        112⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        113⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        112⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606203.bat
        113⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        114⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        113⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606250.bat
        114⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        115⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        115⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        114⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606265.bat
        115⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        116⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        116⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        115⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606343.bat
        116⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        117⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        117⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        116⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606359.bat
        117⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        118⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        118⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        117⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606406.bat
        118⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        119⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        118⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606437.bat
        119⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        120⤵
        Views/modifies file attributes
        
        PID:6984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        120⤵
        Views/modifies file attributes
        
        PID:11612
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        119⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606531.bat
        120⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        121⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        120⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606796.bat
        121⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        122⤵
        Drops file in System32 directory
        
        PID:12064
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        121⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606890.bat
        122⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        123⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        123⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        122⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240606953.bat
        123⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        124⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        124⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        123⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607000.bat
        124⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        125⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        125⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        124⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607062.bat
        125⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        126⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        126⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        125⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607140.bat
        126⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        127⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        127⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        126⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607265.bat
        127⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        128⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        128⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        127⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607359.bat
        128⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        129⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        129⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        128⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607390.bat
        129⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        130⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        130⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        129⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607421.bat
        130⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        131⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        131⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        130⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607515.bat
        131⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        132⤵
        
        PID:11072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        132⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        131⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607531.bat
        132⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        133⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        133⤵
        Views/modifies file attributes
        
        PID:11484
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        132⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607562.bat
        133⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        134⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        134⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        133⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607609.bat
        134⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        135⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        135⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        134⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607640.bat
        135⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        136⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        136⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        135⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607656.bat
        136⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        137⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        137⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        136⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607765.bat
        137⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        138⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        138⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        137⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607812.bat
        138⤵
        
        PID:8372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        139⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        139⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        138⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607906.bat
        139⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        140⤵
        Drops file in System32 directory
        
        PID:10748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        140⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        139⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240607968.bat
        140⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        141⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        140⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608015.bat
        141⤵
        
        PID:10016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        142⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        141⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608046.bat
        142⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        143⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        142⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608109.bat
        143⤵
        
        PID:8272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        144⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        143⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608203.bat
        144⤵
        
        PID:8468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        145⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        145⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        145⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        144⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608281.bat
        145⤵
        
        PID:7512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        146⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        145⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608359.bat
        146⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        147⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        146⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608453.bat
        147⤵
        
        PID:8660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        148⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        147⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608531.bat
        148⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        149⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        148⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608625.bat
        149⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        150⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        150⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        149⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608703.bat
        150⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        151⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        150⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608750.bat
        151⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        152⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        151⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608796.bat
        152⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        153⤵
        Drops file in System32 directory
        
        PID:10168
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        152⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608828.bat
        153⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        154⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        153⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608937.bat
        154⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        155⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        154⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240608968.bat
        155⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        156⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        155⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609015.bat
        156⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        157⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        156⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609093.bat
        157⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        158⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        157⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609125.bat
        158⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        159⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        158⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609218.bat
        159⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        160⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        159⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609281.bat
        160⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        161⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        160⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609343.bat
        161⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        162⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        161⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609390.bat
        162⤵
        
        PID:7452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        163⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        162⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609437.bat
        163⤵
        
        PID:7676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        164⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        163⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609500.bat
        164⤵
        
        PID:9088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        165⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        164⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609578.bat
        165⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        166⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        165⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609656.bat
        166⤵
        
        PID:9568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        167⤵
        
        PID:12124
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        166⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609718.bat
        167⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        168⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        167⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609781.bat
        168⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        169⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        168⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609812.bat
        169⤵
        
        PID:10484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        169⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609828.bat
        170⤵
        
        PID:5588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\HAB_HAB_1033.exe" -r -a -s -h
        171⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        170⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609859.bat
        171⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        171⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609937.bat
        172⤵
        
        PID:11164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        172⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240609968.bat
        173⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        173⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610046.bat
        174⤵
        
        PID:9248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        174⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610078.bat
        175⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        175⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610125.bat
        176⤵
        
        PID:10596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        176⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610171.bat
        177⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        177⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610265.bat
        178⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        178⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610343.bat
        179⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        179⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610406.bat
        180⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        180⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610578.bat
        181⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        181⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610625.bat
        182⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        182⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610718.bat
        183⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        183⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610781.bat
        184⤵
        
        PID:12164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        184⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610843.bat
        185⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        185⤵
        Drops file in System32 directory
        
        PID:10488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240610953.bat
        186⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        186⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611000.bat
        187⤵
        
        PID:7348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        187⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611093.bat
        188⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        188⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611125.bat
        189⤵
        
        PID:11828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        190⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        189⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611156.bat
        190⤵
        
        PID:11272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        190⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611250.bat
        191⤵
        
        PID:11912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        191⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611281.bat
        192⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\HAB_HAB_1033.exe
        
        C:\Windows\system32\HAB_HAB_1033.exe
        192⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\c7417df98544240611312.bat
        193⤵
        
        PID:10376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HAB_HAB_1033.exe

Filesize
11KB

MD5
04a2c38185c6b778d9c6c2814289080b

SHA1
7907ce9cf9efd6f88731f44c1a13b18aefe5fe51

SHA256
ea001093251247bc406fe5d032e0438cc51fe377a9618155ca8a1b4423837cc9

SHA512
fc3992612a3604b24d33dbc25fd70955547a8f93239480d728282b188c405af7c749612d81850bbac7d42e74ebc47a14aad3832046cd8333014ca6f9437ce993

Download Submit
C:\c7417df98544240601515.bat

Filesize
332B

MD5
e0ed04e87e9472de73edc5ad269722c8

SHA1
3d4398349b6d8acfeaeec9dd6307fe5bc14d029d

SHA256
736ece2743f6f90ef91ff63d1c5b94eeeae263145915721ac7c4c548d0c7c388

SHA512
ac81a5d3373d333227d130fb01061246cdfe0a3396232c08ce993a7eaaf628fba4a541ca5da22224ca21a78f91b13c966f8222a0457f4fba6e8a86f777b48e56

Download Submit
C:\c7417df98544240601578.bat

Filesize
188B

MD5
1aaca4473e35e4cc0c3b3d6dcbe27315

SHA1
1787bfcba82afabdf1d0d570a09519ab131cdf7c

SHA256
93d33317d9b4827189fde54a5f64aa8cb0a60106acf2206a0c09a6e280dd04dd

SHA512
4bd06f1f2a49fa179a84f3be9df03f269733acf1f5df38c2189d4429ad62e9e20e6cdd02174c59555e126754de355cc161c808caf4931ceba16d2cbf4b415296

Download Submit