655d8b2f9b6a21fc24f2d43b38e9cf59d5a9ab7c660edfa8b4d6c8e2d645aaf9

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe
Size

12KB
MD5

06702dee5b662c0851b6930f273ebee6
SHA1

7c97530b1678959d6eb1088891ae3ba128f80dfa
SHA256

655d8b2f9b6a21fc24f2d43b38e9cf59d5a9ab7c660edfa8b4d6c8e2d645aaf9
SHA512

a3a2c926bd8d7981aa9015da8f145d4f8949df9f2a4b173340d92c4040b7d119b1b49ebaf47319c8ccd40a113b1cbe288468a684ecccb48b73dee77093faa6eb
SSDEEP

192:oGKc4LTKsQ65laU///////lwsToqBDywXmSuN+APGXfYFeBmAnkkgUw9X/ED:oXPH7/Qs3BDVcbPG3Rn7AW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4140	fCBDCBD1033.exe
3144	fCBDCBD1033.exe
4904	fCBDCBD1033.exe
2176	fCBDCBD1033.exe
1136	fCBDCBD1033.exe
5080	fCBDCBD1033.exe
4084	fCBDCBD1033.exe
3688	fCBDCBD1033.exe
5048	fCBDCBD1033.exe
848	fCBDCBD1033.exe
1548	fCBDCBD1033.exe
4664	fCBDCBD1033.exe
4064	fCBDCBD1033.exe
2244	fCBDCBD1033.exe
1856	fCBDCBD1033.exe
3136	fCBDCBD1033.exe
3476	fCBDCBD1033.exe
656	fCBDCBD1033.exe
396	fCBDCBD1033.exe
1556	fCBDCBD1033.exe
2508	fCBDCBD1033.exe
1400	fCBDCBD1033.exe
2444	fCBDCBD1033.exe
4888	fCBDCBD1033.exe
4208	fCBDCBD1033.exe
2248	fCBDCBD1033.exe
3148	fCBDCBD1033.exe
2176	fCBDCBD1033.exe
2376	fCBDCBD1033.exe
4456	fCBDCBD1033.exe
4656	fCBDCBD1033.exe
3184	fCBDCBD1033.exe
396	fCBDCBD1033.exe
4620	fCBDCBD1033.exe
4920	fCBDCBD1033.exe
1400	fCBDCBD1033.exe
2248	fCBDCBD1033.exe
2748	fCBDCBD1033.exe
5076	fCBDCBD1033.exe
1824	fCBDCBD1033.exe
3340	fCBDCBD1033.exe
4776	fCBDCBD1033.exe
4656	fCBDCBD1033.exe
940	fCBDCBD1033.exe
5136	fCBDCBD1033.exe
5312	fCBDCBD1033.exe
5440	fCBDCBD1033.exe
5676	fCBDCBD1033.exe
5720	fCBDCBD1033.exe
5804	fCBDCBD1033.exe
5956	fCBDCBD1033.exe
6008	fCBDCBD1033.exe
6116	fCBDCBD1033.exe
2452	fCBDCBD1033.exe
3912	fCBDCBD1033.exe
940	fCBDCBD1033.exe
4832	fCBDCBD1033.exe
5592	fCBDCBD1033.exe
5528	fCBDCBD1033.exe
5736	fCBDCBD1033.exe
6096	fCBDCBD1033.exe
5340	fCBDCBD1033.exe
5592	fCBDCBD1033.exe
4208	fCBDCBD1033.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	Process not Found
File created	C:\Windows\SysWOW64\fCBDCBD1033.exe	fCBDCBD1033.exe
File opened for modification	C:\Windows\SysWOW64\fCBDCBD1033.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4740	5108	06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe	82
PID 5108 wrote to memory of 4740	5108	06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe	82
PID 5108 wrote to memory of 4740	5108	06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe	82
PID 5108 wrote to memory of 4140	5108	06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe	83
PID 5108 wrote to memory of 4140	5108	06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe	83
PID 5108 wrote to memory of 4140	5108	06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe	83
PID 4140 wrote to memory of 3576	4140	fCBDCBD1033.exe	85
PID 4140 wrote to memory of 3576	4140	fCBDCBD1033.exe	85
PID 4140 wrote to memory of 3576	4140	fCBDCBD1033.exe	85
PID 4140 wrote to memory of 3144	4140	fCBDCBD1033.exe	86
PID 4140 wrote to memory of 3144	4140	fCBDCBD1033.exe	86
PID 4140 wrote to memory of 3144	4140	fCBDCBD1033.exe	86
PID 3144 wrote to memory of 4788	3144	fCBDCBD1033.exe	88
PID 3144 wrote to memory of 4788	3144	fCBDCBD1033.exe	88
PID 3144 wrote to memory of 4788	3144	fCBDCBD1033.exe	88
PID 3144 wrote to memory of 4904	3144	fCBDCBD1033.exe	89
PID 3144 wrote to memory of 4904	3144	fCBDCBD1033.exe	89
PID 3144 wrote to memory of 4904	3144	fCBDCBD1033.exe	89
PID 4904 wrote to memory of 1708	4904	fCBDCBD1033.exe	91
PID 4904 wrote to memory of 1708	4904	fCBDCBD1033.exe	91
PID 4904 wrote to memory of 1708	4904	fCBDCBD1033.exe	91
PID 4904 wrote to memory of 2176	4904	fCBDCBD1033.exe	174
PID 4904 wrote to memory of 2176	4904	fCBDCBD1033.exe	174
PID 4904 wrote to memory of 2176	4904	fCBDCBD1033.exe	174
PID 2176 wrote to memory of 1616	2176	fCBDCBD1033.exe	93
PID 2176 wrote to memory of 1616	2176	fCBDCBD1033.exe	93
PID 2176 wrote to memory of 1616	2176	fCBDCBD1033.exe	93
PID 2176 wrote to memory of 1136	2176	fCBDCBD1033.exe	175
PID 2176 wrote to memory of 1136	2176	fCBDCBD1033.exe	175
PID 2176 wrote to memory of 1136	2176	fCBDCBD1033.exe	175
PID 1136 wrote to memory of 3988	1136	fCBDCBD1033.exe	96
PID 1136 wrote to memory of 3988	1136	fCBDCBD1033.exe	96
PID 1136 wrote to memory of 3988	1136	fCBDCBD1033.exe	96
PID 1136 wrote to memory of 5080	1136	fCBDCBD1033.exe	97
PID 1136 wrote to memory of 5080	1136	fCBDCBD1033.exe	97
PID 1136 wrote to memory of 5080	1136	fCBDCBD1033.exe	97
PID 5080 wrote to memory of 3100	5080	fCBDCBD1033.exe	99
PID 5080 wrote to memory of 3100	5080	fCBDCBD1033.exe	99
PID 5080 wrote to memory of 3100	5080	fCBDCBD1033.exe	99
PID 5080 wrote to memory of 4084	5080	fCBDCBD1033.exe	100
PID 5080 wrote to memory of 4084	5080	fCBDCBD1033.exe	100
PID 5080 wrote to memory of 4084	5080	fCBDCBD1033.exe	100
PID 4788 wrote to memory of 2132	4788	cmd.exe	312
PID 4788 wrote to memory of 2132	4788	cmd.exe	312
PID 4788 wrote to memory of 2132	4788	cmd.exe	312
PID 4084 wrote to memory of 892	4084	fCBDCBD1033.exe	104
PID 4084 wrote to memory of 892	4084	fCBDCBD1033.exe	104
PID 4084 wrote to memory of 892	4084	fCBDCBD1033.exe	104
PID 4084 wrote to memory of 3688	4084	fCBDCBD1033.exe	105
PID 4084 wrote to memory of 3688	4084	fCBDCBD1033.exe	105
PID 4084 wrote to memory of 3688	4084	fCBDCBD1033.exe	105
PID 4740 wrote to memory of 2748	4740	cmd.exe	241
PID 4740 wrote to memory of 2748	4740	cmd.exe	241
PID 4740 wrote to memory of 2748	4740	cmd.exe	241
PID 3576 wrote to memory of 4880	3576	cmd.exe	107
PID 3576 wrote to memory of 4880	3576	cmd.exe	107
PID 3576 wrote to memory of 4880	3576	cmd.exe	107
PID 3688 wrote to memory of 952	3688	fCBDCBD1033.exe	108
PID 3688 wrote to memory of 952	3688	fCBDCBD1033.exe	108
PID 3688 wrote to memory of 952	3688	fCBDCBD1033.exe	108
PID 3688 wrote to memory of 5048	3688	fCBDCBD1033.exe	378
PID 3688 wrote to memory of 5048	3688	fCBDCBD1033.exe	378
PID 3688 wrote to memory of 5048	3688	fCBDCBD1033.exe	378
PID 5048 wrote to memory of 4324	5048	fCBDCBD1033.exe	112

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
11568	Process not Found
6808	attrib.exe
7492	attrib.exe
9772	attrib.exe
14196	Process not Found
8200	attrib.exe
10848	attrib.exe
12180	Process not Found
12616	Process not Found
13560	Process not Found
396	attrib.exe
12016	Process not Found
11512	Process not Found
12648	Process not Found
14700	Process not Found
3148	attrib.exe
9584	attrib.exe
9912	attrib.exe
7588	attrib.exe
10260	attrib.exe
13336	Process not Found
7108	attrib.exe
9056	attrib.exe
11172	attrib.exe
10264	Process not Found
10896	Process not Found
6924	attrib.exe
7648	attrib.exe
7792	attrib.exe
10444	Process not Found
11964	Process not Found
5904	attrib.exe
6388	attrib.exe
8996	attrib.exe
9324	Process not Found
13104	Process not Found
14124	Process not Found
14632	Process not Found
4620	attrib.exe
6796	attrib.exe
13088	Process not Found
9952	attrib.exe
10620	Process not Found
8036	attrib.exe
10380	attrib.exe
10444	attrib.exe
6476	attrib.exe
6260	attrib.exe
7804	attrib.exe
11268	Process not Found
12952	Process not Found
7184	attrib.exe
9308	attrib.exe
7484	attrib.exe
10860	Process not Found
10608	Process not Found
8932	Process not Found
11368	Process not Found
14656	Process not Found
6592	attrib.exe
8096	attrib.exe
6944	attrib.exe
6736	attrib.exe
10496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608234.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\06702dee5b662c0851b6930f273ebee6_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:2748
- C:\Windows\SysWOW64\fCBDCBD1033.exe
  C:\Windows\system32\fCBDCBD1033.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608265.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      PID:4880
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      PID:3472
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:6736
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      Drops file in System32 directory
      PID:6808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      PID:8328
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
      4⤵
      PID:7948
- - C:\Windows\SysWOW64\fCBDCBD1033.exe
    C:\Windows\system32\fCBDCBD1033.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608296.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:5216
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:5720
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:6976
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:7228
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        5⤵
        
        PID:9696
  - - C:\Windows\SysWOW64\fCBDCBD1033.exe
      C:\Windows\system32\fCBDCBD1033.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608328.bat
        5⤵
        
        PID:1708
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        
        PID:4256
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        
        PID:656
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:6128
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        
        PID:6164
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        
        PID:5824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        
        PID:8952
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:9584
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        6⤵
        
        PID:11144
    - - C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608343.bat
        6⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        Views/modifies file attributes
        
        PID:8096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        7⤵
        
        PID:10376
      - C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608359.bat
        7⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        8⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608390.bat
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        9⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        9⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        9⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        9⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        9⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        9⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608437.bat
        9⤵
        
        PID:892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        10⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608468.bat
        10⤵
        
        PID:952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        11⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        11⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        11⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        11⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        11⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        11⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608515.bat
        11⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:9320
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        11⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608546.bat
        12⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        13⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        13⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        13⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        13⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        13⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        13⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        12⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608593.bat
        13⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        
        PID:60
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:6592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        14⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        13⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608656.bat
        14⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        15⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        15⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        15⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        15⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        15⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        15⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        14⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608671.bat
        15⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        16⤵
        Views/modifies file attributes
        
        PID:3148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        16⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        16⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        16⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        16⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608703.bat
        16⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        17⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        17⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        17⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        17⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        17⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        17⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        16⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608750.bat
        17⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        18⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        17⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608796.bat
        18⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        19⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        18⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608828.bat
        19⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        Views/modifies file attributes
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        Views/modifies file attributes
        
        PID:7108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        20⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        19⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608875.bat
        20⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        21⤵
        Views/modifies file attributes
        
        PID:8996
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        20⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608890.bat
        21⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        22⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        22⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        22⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        22⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        22⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        22⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        21⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608906.bat
        22⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        23⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        23⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        23⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        23⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        23⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        23⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        22⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608968.bat
        23⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        24⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        24⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        24⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        24⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        24⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        24⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        23⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240608984.bat
        24⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        Views/modifies file attributes
        
        PID:4620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        25⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        24⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609046.bat
        25⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        26⤵
        
        PID:532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        26⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        26⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        26⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        26⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        26⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        25⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609093.bat
        26⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        27⤵
        Views/modifies file attributes
        
        PID:396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        27⤵
        
        PID:116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        27⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        27⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        27⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        27⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        26⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609109.bat
        27⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        28⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        27⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609156.bat
        28⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        Views/modifies file attributes
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        29⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        28⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609203.bat
        29⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        30⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        30⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        30⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        30⤵
        Views/modifies file attributes
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        30⤵
        Views/modifies file attributes
        
        PID:9308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        30⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609265.bat
        30⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        31⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        31⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:8164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        31⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        31⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        30⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609328.bat
        31⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        32⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        32⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        32⤵
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        32⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        32⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        32⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        31⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609375.bat
        32⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        33⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        33⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        33⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        33⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        33⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        32⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609390.bat
        33⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        34⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        34⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        34⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        34⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        34⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        34⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        33⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609437.bat
        34⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        35⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        34⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609468.bat
        35⤵
        
        PID:688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        36⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        36⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        36⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        36⤵
        Views/modifies file attributes
        
        PID:8200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        36⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        36⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        35⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609484.bat
        36⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        37⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        37⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        37⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        37⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        37⤵
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        37⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        36⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609546.bat
        37⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        38⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        38⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        38⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        38⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        38⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        38⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        37⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609578.bat
        38⤵
        
        PID:932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        39⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        39⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        39⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        39⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        39⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        38⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609625.bat
        39⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        Views/modifies file attributes
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        Views/modifies file attributes
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        40⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        39⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609671.bat
        40⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        41⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        41⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        41⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        41⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        41⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        40⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609734.bat
        41⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        42⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        41⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609781.bat
        42⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        43⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        43⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        43⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        43⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        43⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        42⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609796.bat
        43⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        44⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        44⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        44⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        44⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        44⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        43⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609890.bat
        44⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        45⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        45⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        45⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        45⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        45⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        45⤵
        Drops file in System32 directory
        
        PID:8636
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        44⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240609921.bat
        45⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        46⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        46⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        46⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        46⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        46⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        46⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        45⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610000.bat
        46⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        47⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        47⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        47⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        47⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        47⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        46⤵
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610093.bat
        47⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        48⤵
        Views/modifies file attributes
        
        PID:5904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        48⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        48⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        48⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        48⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        47⤵
        Executes dropped EXE
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610156.bat
        48⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        49⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        48⤵
        Executes dropped EXE
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610265.bat
        49⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        50⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        50⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        50⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        50⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        50⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        49⤵
        Executes dropped EXE
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610281.bat
        50⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        51⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        51⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        51⤵
        Views/modifies file attributes
        
        PID:7184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        51⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        51⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        50⤵
        Executes dropped EXE
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610312.bat
        51⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        52⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        52⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        52⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        52⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        52⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        51⤵
        Executes dropped EXE
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610359.bat
        52⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        53⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        52⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610421.bat
        53⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        54⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        54⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        54⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        54⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        54⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        53⤵
        Executes dropped EXE
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610468.bat
        54⤵
        
        PID:6108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        55⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        55⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        55⤵
        Views/modifies file attributes
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        55⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        55⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        55⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        54⤵
        Executes dropped EXE
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610484.bat
        55⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        56⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        56⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        56⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        56⤵
        Views/modifies file attributes
        
        PID:7484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        56⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        55⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610578.bat
        56⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        57⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        57⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        57⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        57⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        56⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610593.bat
        57⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        58⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        58⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        58⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        58⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        58⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        58⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        57⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610640.bat
        58⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        59⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        59⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        59⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        59⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        58⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610671.bat
        59⤵
        
        PID:5444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        60⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        60⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        60⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        60⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        59⤵
        Executes dropped EXE
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610734.bat
        60⤵
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        61⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        61⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        61⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        61⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        61⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        60⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610765.bat
        61⤵
        
        PID:5776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        62⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        62⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        62⤵
        Views/modifies file attributes
        
        PID:7804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        62⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        61⤵
        Executes dropped EXE
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610812.bat
        62⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        63⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        63⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        63⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        63⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        62⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610921.bat
        63⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        64⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        64⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        64⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        64⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        64⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        63⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240610984.bat
        64⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        65⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        65⤵
        Drops file in System32 directory
        
        PID:7684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        65⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        65⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        64⤵
        Executes dropped EXE
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611015.bat
        65⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        66⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        66⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        66⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        66⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        65⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611046.bat
        66⤵
        
        PID:5872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        67⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        67⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        67⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        67⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        67⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        67⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        66⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611062.bat
        67⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        68⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        68⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        68⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        68⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        68⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        67⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611078.bat
        68⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        69⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        69⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        69⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        69⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:10444
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        68⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611125.bat
        69⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        70⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        70⤵
        Drops file in System32 directory
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        70⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        69⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611203.bat
        70⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        71⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        71⤵
        Views/modifies file attributes
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        71⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        71⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        70⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611312.bat
        71⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        72⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        72⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        72⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        72⤵
        Drops file in System32 directory
        
        PID:11068
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        71⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611375.bat
        72⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        73⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        73⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        73⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        73⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        73⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        73⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        72⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611421.bat
        73⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        74⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        74⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        74⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        74⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        73⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611453.bat
        74⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        75⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        75⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        75⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        75⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        75⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        75⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        74⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611484.bat
        75⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        76⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        76⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        76⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        76⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        75⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611531.bat
        76⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        77⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        77⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        77⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        76⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611578.bat
        77⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        78⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        78⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        78⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        78⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        77⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611593.bat
        78⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        79⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        79⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        79⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        79⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        78⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611656.bat
        79⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        80⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        80⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        80⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        80⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        79⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611687.bat
        80⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        81⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        81⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        81⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        81⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        81⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        80⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611765.bat
        81⤵
        
        PID:6096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        82⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        82⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        82⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        82⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        81⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611796.bat
        82⤵
        
        PID:5868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        83⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        83⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        83⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        83⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        82⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611875.bat
        83⤵
        
        PID:6624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        84⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        84⤵
        Drops file in System32 directory
        
        PID:8424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        84⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        84⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        83⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240611984.bat
        84⤵
        
        PID:6824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        85⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        85⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        85⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        85⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        84⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612015.bat
        85⤵
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        86⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        86⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        86⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        86⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        85⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612078.bat
        86⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        87⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        87⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        87⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        87⤵
        Views/modifies file attributes
        
        PID:10380
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        86⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612140.bat
        87⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        88⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        88⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        88⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        87⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612218.bat
        88⤵
        
        PID:6524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        89⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        89⤵
        Views/modifies file attributes
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        89⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        88⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612281.bat
        89⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        Drops file in System32 directory
        
        PID:9496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        90⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        89⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612359.bat
        90⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        91⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        91⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        91⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        90⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612406.bat
        91⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        Drops file in System32 directory
        
        PID:9880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        92⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        91⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612421.bat
        92⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        93⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        93⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        93⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        93⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        93⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        93⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        92⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612515.bat
        93⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        94⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        94⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        94⤵
        Views/modifies file attributes
        
        PID:9772
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        93⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612531.bat
        94⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        95⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        95⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        95⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        94⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612609.bat
        95⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        96⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        96⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        96⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        95⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612640.bat
        96⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        97⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        97⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        96⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612703.bat
        97⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        98⤵
        Views/modifies file attributes
        
        PID:6808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        98⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        98⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        98⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        97⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612750.bat
        98⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        99⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        99⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        99⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        98⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612796.bat
        99⤵
        
        PID:7432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        100⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        100⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        100⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        99⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612828.bat
        100⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        101⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        101⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        100⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612890.bat
        101⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        102⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        102⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        102⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        101⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240612968.bat
        102⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        103⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        103⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        103⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        103⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        102⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613000.bat
        103⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        104⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        104⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        104⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        104⤵
        Drops file in System32 directory
        
        PID:10616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        104⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        103⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613062.bat
        104⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        105⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        105⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        104⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613125.bat
        105⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        106⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        106⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        106⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        105⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613437.bat
        106⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        107⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        107⤵
        Views/modifies file attributes
        
        PID:7588
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        106⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613562.bat
        107⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        108⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        108⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        107⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613625.bat
        108⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        109⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        109⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        108⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613718.bat
        109⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        110⤵
        Drops file in System32 directory
        
        PID:9096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        110⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        109⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613796.bat
        110⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        111⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        111⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        110⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613859.bat
        111⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        112⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        112⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        111⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613875.bat
        112⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        113⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        113⤵
        Views/modifies file attributes
        
        PID:11172
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        112⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240613937.bat
        113⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        114⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        114⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        113⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614046.bat
        114⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        115⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        115⤵
        Drops file in System32 directory
        
        PID:10892
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        114⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614109.bat
        115⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        116⤵
        Views/modifies file attributes
        
        PID:9952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        116⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        115⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614140.bat
        116⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        117⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        117⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        116⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614171.bat
        117⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        118⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        118⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        117⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614250.bat
        118⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        119⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        119⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        118⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614343.bat
        119⤵
        
        PID:7572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        120⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        120⤵
        Views/modifies file attributes
        
        PID:10848
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        119⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614390.bat
        120⤵
        
        PID:7592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        121⤵
        Views/modifies file attributes
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        121⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        120⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614484.bat
        121⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        122⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:9912
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        121⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614640.bat
        122⤵
        
        PID:6496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        123⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        122⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614734.bat
        123⤵
        
        PID:7276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        124⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        124⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        124⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        123⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614843.bat
        124⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        125⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        125⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        124⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614890.bat
        125⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        126⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        126⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        126⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        125⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240614953.bat
        126⤵
        
        PID:6340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        127⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        126⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615000.bat
        127⤵
        
        PID:8228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        128⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        127⤵
        Drops file in System32 directory
        
        PID:7732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615046.bat
        128⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        129⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        128⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615093.bat
        129⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        130⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        129⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615156.bat
        130⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        131⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        130⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615218.bat
        131⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        132⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        131⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615328.bat
        132⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        133⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        132⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615406.bat
        133⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        134⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        133⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615437.bat
        134⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        135⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        134⤵
        Drops file in System32 directory
        
        PID:9552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615484.bat
        135⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        136⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        135⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615531.bat
        136⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        137⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        136⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615562.bat
        137⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        138⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        137⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615593.bat
        138⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        139⤵
        Views/modifies file attributes
        
        PID:10260
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        138⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615718.bat
        139⤵
        
        PID:10116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        140⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        139⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615781.bat
        140⤵
        
        PID:8408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        141⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        140⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615828.bat
        141⤵
        
        PID:8224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        142⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        141⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615937.bat
        142⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        143⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        142⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240615984.bat
        143⤵
        
        PID:9980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        144⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        144⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        143⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616062.bat
        144⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        145⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        145⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        144⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616093.bat
        145⤵
        
        PID:10148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        146⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        145⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616140.bat
        146⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        147⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        146⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616203.bat
        147⤵
        
        PID:8956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        148⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        147⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616265.bat
        148⤵
        
        PID:9316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        149⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        148⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616375.bat
        149⤵
        
        PID:9684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        150⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        150⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        149⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616390.bat
        150⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        151⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        150⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616500.bat
        151⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        152⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        151⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616546.bat
        152⤵
        
        PID:7732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        153⤵
        Views/modifies file attributes
        
        PID:8036
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        152⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616593.bat
        153⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        154⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        153⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616640.bat
        154⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        155⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        154⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616750.bat
        155⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        156⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        155⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616859.bat
        156⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        157⤵
        Views/modifies file attributes
        
        PID:10496
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        156⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616906.bat
        157⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        158⤵
        Drops file in System32 directory
        
        PID:10100
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        157⤵
        Drops file in System32 directory
        
        PID:9832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616921.bat
        158⤵
        
        PID:7708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        159⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        158⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240616953.bat
        159⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        160⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        160⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        159⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617046.bat
        160⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        161⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        160⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617093.bat
        161⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        162⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        161⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617203.bat
        162⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        163⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        162⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617281.bat
        163⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        164⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        163⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617343.bat
        164⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        164⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617390.bat
        165⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\fCBDCBD1033.exe" -r -a -s -h
        166⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        165⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617421.bat
        166⤵
        
        PID:11148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        166⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617500.bat
        167⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        167⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617546.bat
        168⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        168⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617578.bat
        169⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        169⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617593.bat
        170⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        170⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617640.bat
        171⤵
        
        PID:10960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        171⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617671.bat
        172⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        172⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617750.bat
        173⤵
        
        PID:9656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        173⤵
        Drops file in System32 directory
        
        PID:7884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617796.bat
        174⤵
        
        PID:10132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        174⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617875.bat
        175⤵
        
        PID:7484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        175⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617921.bat
        176⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        176⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240617953.bat
        177⤵
        
        PID:10516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        178⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        177⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618031.bat
        178⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        178⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618078.bat
        179⤵
        
        PID:10740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        180⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        179⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618125.bat
        180⤵
        
        PID:7564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        180⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618218.bat
        181⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        181⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618296.bat
        182⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\fCBDCBD1033.exe
        
        C:\Windows\system32\fCBDCBD1033.exe
        182⤵
        
        PID:8664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fCBDCBD1033.exe

Filesize
12KB

MD5
06702dee5b662c0851b6930f273ebee6

SHA1
7c97530b1678959d6eb1088891ae3ba128f80dfa

SHA256
655d8b2f9b6a21fc24f2d43b38e9cf59d5a9ab7c660edfa8b4d6c8e2d645aaf9

SHA512
a3a2c926bd8d7981aa9015da8f145d4f8949df9f2a4b173340d92c4040b7d119b1b49ebaf47319c8ccd40a113b1cbe288468a684ecccb48b73dee77093faa6eb

Download Submit
C:\d8008d8e164c240608328.bat

Filesize
185B

MD5
b0bd803e7feac31fb4fc4a8b39cd697e

SHA1
f4351bff6d6b8df967ea43145bde6909a5c55e41

SHA256
2fac8f9ef19cb00912c89a7a5fac0f4f5d432625cc434fb45bbadd28c72d424c

SHA512
873c642b4c0df04d099cedac8f3240d7f07dcdc079c502cbe7d71a2acd90474bd32761374d0930f5097829edf36515ca839c8aa87c6b79f40813892e5917c8d5

Download Submit
\??\c:\d8008d8e164c240608234.bat

Filesize
332B

MD5
f11fee98e9867751b711070eb278145b

SHA1
901386dc020ecd28094694c2d43dae679e9e038b

SHA256
80df6da6b46011a4a84affdfe18cc63641ab083fc8d0ded54c694f09ccebc8f6

SHA512
0969d56044eb03bd4080d5d4c1a670c05bc0417b6c45d65786a9f26c2a6f14ddbd63c0d92552987ebbe73923a1c27b6f0b1625ec644ffdb8554845249ee12d89

Download Submit
memory/12772-564-0x0000000000170000-0x00000000001CA000-memory.dmp

Filesize
360KB

Download
memory/14612-569-0x00000000752F0000-0x0000000075505000-memory.dmp

Filesize
2.1MB

Download