2203945283b793cba3d79605d3ffb421b7b74c5d0604885e2797f80e62348eb4

Analysis

max time kernel
107s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe
Size

2KB
MD5

40ba1455487b1ae8b76c6e89bd20aa1d
SHA1

d76004bb31a5a7a00b950f7349861e346c46cd23
SHA256

2203945283b793cba3d79605d3ffb421b7b74c5d0604885e2797f80e62348eb4
SHA512

0e0142cd26e541dd2ecf2b3ea9612c00773153f2075933e754f84b69dcd84859755a6db81fe73bf67dfd810d6002da2eea8fe1de4cdef4db37aea31550412481

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1084	ffIGBWD1046.exe
5068	ffIGBWD1046.exe
976	ffIGBWD1046.exe
1644	ffIGBWD1046.exe
4804	ffIGBWD1046.exe
4404	ffIGBWD1046.exe
5072	ffIGBWD1046.exe
2116	ffIGBWD1046.exe
4124	ffIGBWD1046.exe
1584	ffIGBWD1046.exe
2512	ffIGBWD1046.exe
1476	ffIGBWD1046.exe
2292	ffIGBWD1046.exe
4900	ffIGBWD1046.exe
5060	ffIGBWD1046.exe
3312	ffIGBWD1046.exe
4652	ffIGBWD1046.exe
4732	ffIGBWD1046.exe
1608	ffIGBWD1046.exe
2656	ffIGBWD1046.exe
3360	ffIGBWD1046.exe
2400	ffIGBWD1046.exe
264	ffIGBWD1046.exe
64	ffIGBWD1046.exe
2712	ffIGBWD1046.exe
2760	ffIGBWD1046.exe
2664	ffIGBWD1046.exe
4380	ffIGBWD1046.exe
4296	ffIGBWD1046.exe
1064	ffIGBWD1046.exe
4448	ffIGBWD1046.exe
996	ffIGBWD1046.exe
552	ffIGBWD1046.exe
4968	ffIGBWD1046.exe
4260	ffIGBWD1046.exe
1644	ffIGBWD1046.exe
3536	ffIGBWD1046.exe
2620	ffIGBWD1046.exe
3324	ffIGBWD1046.exe
4944	ffIGBWD1046.exe
4296	ffIGBWD1046.exe
2632	ffIGBWD1046.exe
3244	ffIGBWD1046.exe
5132	ffIGBWD1046.exe
5196	ffIGBWD1046.exe
5272	ffIGBWD1046.exe
5364	ffIGBWD1046.exe
5464	ffIGBWD1046.exe
5564	ffIGBWD1046.exe
5656	ffIGBWD1046.exe
5808	ffIGBWD1046.exe
5940	ffIGBWD1046.exe
6040	ffIGBWD1046.exe
6088	ffIGBWD1046.exe
5136	ffIGBWD1046.exe
4460	ffIGBWD1046.exe
3256	ffIGBWD1046.exe
396	ffIGBWD1046.exe
5432	ffIGBWD1046.exe
5796	ffIGBWD1046.exe
5880	ffIGBWD1046.exe
6092	ffIGBWD1046.exe
5192	ffIGBWD1046.exe
5424	ffIGBWD1046.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	Process not Found
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File created	C:\Windows\SysWOW64\ffIGBWD1046.exe	ffIGBWD1046.exe
File opened for modification	C:\Windows\SysWOW64\ffIGBWD1046.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3944	2488	40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe	83
PID 2488 wrote to memory of 3944	2488	40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe	83
PID 2488 wrote to memory of 3944	2488	40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe	83
PID 2488 wrote to memory of 1084	2488	40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe	84
PID 2488 wrote to memory of 1084	2488	40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe	84
PID 2488 wrote to memory of 1084	2488	40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe	84
PID 1084 wrote to memory of 4292	1084	ffIGBWD1046.exe	86
PID 1084 wrote to memory of 4292	1084	ffIGBWD1046.exe	86
PID 1084 wrote to memory of 4292	1084	ffIGBWD1046.exe	86
PID 1084 wrote to memory of 5068	1084	ffIGBWD1046.exe	87
PID 1084 wrote to memory of 5068	1084	ffIGBWD1046.exe	87
PID 1084 wrote to memory of 5068	1084	ffIGBWD1046.exe	87
PID 5068 wrote to memory of 2100	5068	ffIGBWD1046.exe	88
PID 5068 wrote to memory of 2100	5068	ffIGBWD1046.exe	88
PID 5068 wrote to memory of 2100	5068	ffIGBWD1046.exe	88
PID 5068 wrote to memory of 976	5068	ffIGBWD1046.exe	89
PID 5068 wrote to memory of 976	5068	ffIGBWD1046.exe	89
PID 5068 wrote to memory of 976	5068	ffIGBWD1046.exe	89
PID 976 wrote to memory of 1636	976	ffIGBWD1046.exe	91
PID 976 wrote to memory of 1636	976	ffIGBWD1046.exe	91
PID 976 wrote to memory of 1636	976	ffIGBWD1046.exe	91
PID 976 wrote to memory of 1644	976	ffIGBWD1046.exe	92
PID 976 wrote to memory of 1644	976	ffIGBWD1046.exe	92
PID 976 wrote to memory of 1644	976	ffIGBWD1046.exe	92
PID 1644 wrote to memory of 4672	1644	ffIGBWD1046.exe	95
PID 1644 wrote to memory of 4672	1644	ffIGBWD1046.exe	95
PID 1644 wrote to memory of 4672	1644	ffIGBWD1046.exe	95
PID 1644 wrote to memory of 4804	1644	ffIGBWD1046.exe	96
PID 1644 wrote to memory of 4804	1644	ffIGBWD1046.exe	96
PID 1644 wrote to memory of 4804	1644	ffIGBWD1046.exe	96
PID 4804 wrote to memory of 2552	4804	ffIGBWD1046.exe	98
PID 4804 wrote to memory of 2552	4804	ffIGBWD1046.exe	98
PID 4804 wrote to memory of 2552	4804	ffIGBWD1046.exe	98
PID 4804 wrote to memory of 4404	4804	ffIGBWD1046.exe	99
PID 4804 wrote to memory of 4404	4804	ffIGBWD1046.exe	99
PID 4804 wrote to memory of 4404	4804	ffIGBWD1046.exe	99
PID 3944 wrote to memory of 2588	3944	cmd.exe	101
PID 3944 wrote to memory of 2588	3944	cmd.exe	101
PID 3944 wrote to memory of 2588	3944	cmd.exe	101
PID 4404 wrote to memory of 2096	4404	ffIGBWD1046.exe	102
PID 4404 wrote to memory of 2096	4404	ffIGBWD1046.exe	102
PID 4404 wrote to memory of 2096	4404	ffIGBWD1046.exe	102
PID 4404 wrote to memory of 5072	4404	ffIGBWD1046.exe	103
PID 4404 wrote to memory of 5072	4404	ffIGBWD1046.exe	103
PID 4404 wrote to memory of 5072	4404	ffIGBWD1046.exe	103
PID 5072 wrote to memory of 4948	5072	ffIGBWD1046.exe	105
PID 5072 wrote to memory of 4948	5072	ffIGBWD1046.exe	105
PID 5072 wrote to memory of 4948	5072	ffIGBWD1046.exe	105
PID 5072 wrote to memory of 2116	5072	ffIGBWD1046.exe	106
PID 5072 wrote to memory of 2116	5072	ffIGBWD1046.exe	106
PID 5072 wrote to memory of 2116	5072	ffIGBWD1046.exe	106
PID 2116 wrote to memory of 3076	2116	ffIGBWD1046.exe	108
PID 2116 wrote to memory of 3076	2116	ffIGBWD1046.exe	108
PID 2116 wrote to memory of 3076	2116	ffIGBWD1046.exe	108
PID 2116 wrote to memory of 4124	2116	ffIGBWD1046.exe	109
PID 2116 wrote to memory of 4124	2116	ffIGBWD1046.exe	109
PID 2116 wrote to memory of 4124	2116	ffIGBWD1046.exe	109
PID 4124 wrote to memory of 2992	4124	ffIGBWD1046.exe	111
PID 4124 wrote to memory of 2992	4124	ffIGBWD1046.exe	111
PID 4124 wrote to memory of 2992	4124	ffIGBWD1046.exe	111
PID 4124 wrote to memory of 1584	4124	ffIGBWD1046.exe	112
PID 4124 wrote to memory of 1584	4124	ffIGBWD1046.exe	112
PID 4124 wrote to memory of 1584	4124	ffIGBWD1046.exe	112
PID 4672 wrote to memory of 4484	4672	cmd.exe	113

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
10000	attrib.exe
11884	attrib.exe
8592	attrib.exe
10392	attrib.exe
11472	Process not Found
10704	Process not Found
13780	Process not Found
5684	attrib.exe
6500	attrib.exe
11768	attrib.exe
11676	Process not Found
14160	Process not Found
6068	attrib.exe
10164	attrib.exe
11072	attrib.exe
10396	attrib.exe
10164	attrib.exe
12368	Process not Found
6280	attrib.exe
10860	Process not Found
11476	Process not Found
2876	attrib.exe
10960	attrib.exe
10312	Process not Found
12832	Process not Found
5952	attrib.exe
7900	attrib.exe
9248	attrib.exe
10532	attrib.exe
12460	Process not Found
5832	attrib.exe
4156	attrib.exe
6368	attrib.exe
8456	attrib.exe
8784	attrib.exe
10480	attrib.exe
9424	Process not Found
14024	Process not Found
12572	Process not Found
12136	attrib.exe
11700	Process not Found
10388	Process not Found
13352	Process not Found
7140	attrib.exe
7216	attrib.exe
9000	attrib.exe
9468	attrib.exe
13360	Process not Found
5416	attrib.exe
11028	Process not Found
12084	Process not Found
13560	Process not Found
11496	attrib.exe
14120	Process not Found
14040	Process not Found
6688	attrib.exe
13808	Process not Found
2588	attrib.exe
2324	attrib.exe
8436	attrib.exe
7004	attrib.exe
11668	Process not Found
10000	Process not Found
11744	attrib.exe

C:\Users\Admin\AppData\Local\Temp\40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618500.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\40ba1455487b1ae8b76c6e89bd20aa1d_JaffaCakes118.exe" -r -a -s -h
    3⤵
    - Views/modifies file attributes
    PID:2588
- C:\Windows\SysWOW64\ffIGBWD1046.exe
  C:\Windows\system32\ffIGBWD1046.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618531.bat
    3⤵
    PID:4292
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      PID:4772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:2324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      PID:5588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      PID:7072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      PID:8940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      PID:9904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
      4⤵
      PID:6300
- - C:\Windows\SysWOW64\ffIGBWD1046.exe
    C:\Windows\system32\ffIGBWD1046.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618531.bat
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:3744
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:6592
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:8412
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:9064
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:10356
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        5⤵
        
        PID:11844
  - - C:\Windows\SysWOW64\ffIGBWD1046.exe
      C:\Windows\system32\ffIGBWD1046.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618562.bat
        5⤵
        
        PID:1636
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        6⤵
        
        PID:2232
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        6⤵
        
        PID:1064
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        6⤵
        
        PID:6416
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        6⤵
        
        PID:7272
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        6⤵
        
        PID:9176
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        6⤵
        
        PID:10736
    - - C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618593.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        Views/modifies file attributes
        
        PID:6688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        7⤵
        
        PID:12032
      - C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618609.bat
        7⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        Views/modifies file attributes
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        8⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618640.bat
        8⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        9⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        9⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        9⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        9⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        9⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        9⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618671.bat
        9⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        10⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        10⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        10⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        10⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        10⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618703.bat
        10⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        11⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        11⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        11⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        11⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        11⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        11⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618734.bat
        11⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        Drops file in System32 directory
        
        PID:7340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        12⤵
        
        PID:11736
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        11⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618812.bat
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        13⤵
        
        PID:11756
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        12⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618843.bat
        13⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        14⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        14⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        14⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        14⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        14⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        14⤵
        
        PID:11912
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618890.bat
        14⤵
        
        PID:400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        15⤵
        
        PID:516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        15⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        15⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        15⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        15⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        15⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        14⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618921.bat
        15⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        16⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        16⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        16⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        16⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        16⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        15⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618968.bat
        16⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        17⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        17⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        17⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        17⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        17⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        16⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240618984.bat
        17⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        18⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        18⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        18⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        18⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        18⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        18⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        17⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619015.bat
        18⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        19⤵
        
        PID:752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        19⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        19⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        19⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        19⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        18⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619078.bat
        19⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        20⤵
        Views/modifies file attributes
        
        PID:11744
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        19⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619109.bat
        20⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        21⤵
        
        PID:396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        21⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        21⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        21⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        20⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619140.bat
        21⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        22⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        22⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        22⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        22⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        22⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        21⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619156.bat
        22⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        23⤵
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        23⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        23⤵
        Drops file in System32 directory
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        23⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        23⤵
        
        PID:10444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        23⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        22⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619187.bat
        23⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        24⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        24⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        24⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        24⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        24⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        23⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619218.bat
        24⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        25⤵
        Drops file in System32 directory
        
        PID:10996
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        24⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619265.bat
        25⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:5416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        26⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        26⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        26⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        26⤵
        Views/modifies file attributes
        
        PID:10396
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        25⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619281.bat
        26⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        27⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        27⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        27⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        27⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        27⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619343.bat
        27⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        28⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        28⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        28⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        28⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        28⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        27⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619406.bat
        28⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        29⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        29⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        29⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        29⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        29⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619437.bat
        29⤵
        
        PID:636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        30⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        30⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        30⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        30⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        30⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        30⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        29⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619484.bat
        30⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        31⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        31⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        31⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        31⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        31⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        30⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619515.bat
        31⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        32⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        32⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        32⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        32⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        32⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        31⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619562.bat
        32⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        33⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        33⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        33⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        33⤵
        Views/modifies file attributes
        
        PID:10392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        33⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619593.bat
        33⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        34⤵
        Views/modifies file attributes
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        34⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        34⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        34⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        34⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        33⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619625.bat
        34⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        35⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        35⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        35⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        35⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        35⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        34⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619656.bat
        35⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        36⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        36⤵
        Views/modifies file attributes
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        36⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        36⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        36⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        35⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619687.bat
        36⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        37⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        37⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        37⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        37⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        37⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        36⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619703.bat
        37⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        38⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        38⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        38⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        38⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        38⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        38⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        37⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619765.bat
        38⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        39⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        39⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        39⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        39⤵
        Views/modifies file attributes
        
        PID:7900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        39⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        39⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        38⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619859.bat
        39⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        40⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        40⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        40⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        40⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        40⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        39⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619921.bat
        40⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        41⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        41⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        41⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        41⤵
        Drops file in System32 directory
        
        PID:10104
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        40⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619953.bat
        41⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        42⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        42⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        42⤵
        Views/modifies file attributes
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        42⤵
        Views/modifies file attributes
        
        PID:9468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        42⤵
        Views/modifies file attributes
        
        PID:10532
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        41⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240619984.bat
        42⤵
        
        PID:888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        43⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        42⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620015.bat
        43⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        44⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        44⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        44⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        44⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620046.bat
        44⤵
        
        PID:884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        45⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        45⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        45⤵
        Drops file in System32 directory
        
        PID:9932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        45⤵
        Views/modifies file attributes
        
        PID:10480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        45⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        44⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620062.bat
        45⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        46⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        46⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        46⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        46⤵
        Views/modifies file attributes
        
        PID:10960
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        45⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620093.bat
        46⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        47⤵
        Views/modifies file attributes
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        47⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        47⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        47⤵
        
        PID:448
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        46⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620140.bat
        47⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        48⤵
        
        PID:816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        48⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        48⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        48⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        48⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        47⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620359.bat
        48⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        49⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        49⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        49⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        49⤵
        Views/modifies file attributes
        
        PID:10164
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        48⤵
        Executes dropped EXE
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620421.bat
        49⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        50⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        50⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        50⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        50⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        50⤵
        
        PID:12056
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        49⤵
        Executes dropped EXE
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620484.bat
        50⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        51⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        51⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        51⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        51⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        50⤵
        Executes dropped EXE
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620515.bat
        51⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        52⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        52⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        52⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        52⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        51⤵
        Executes dropped EXE
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620593.bat
        52⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        53⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        53⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        53⤵
        Drops file in System32 directory
        
        PID:9064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        53⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        52⤵
        Executes dropped EXE
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620640.bat
        53⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        54⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        54⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        54⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        54⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        53⤵
        Executes dropped EXE
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620687.bat
        54⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        Views/modifies file attributes
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        55⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620734.bat
        55⤵
        
        PID:6080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        56⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        56⤵
        Drops file in System32 directory
        
        PID:8972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        56⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        56⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        55⤵
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620796.bat
        56⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        57⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        57⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        57⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        57⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        56⤵
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620843.bat
        57⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        58⤵
        Views/modifies file attributes
        
        PID:6368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        58⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        58⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        57⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620875.bat
        58⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        59⤵
        Views/modifies file attributes
        
        PID:4156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        59⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        59⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        59⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        58⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240620921.bat
        59⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        60⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        60⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        60⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        60⤵
        Views/modifies file attributes
        
        PID:11496
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        59⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621015.bat
        60⤵
        
        PID:5564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        61⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:8456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        61⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        60⤵
        Executes dropped EXE
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621031.bat
        61⤵
        
        PID:5852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        62⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        62⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        62⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        62⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        61⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621062.bat
        62⤵
        
        PID:5844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        63⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        63⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        63⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        63⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        63⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        62⤵
        Executes dropped EXE
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621093.bat
        63⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        64⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        64⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        64⤵
        Drops file in System32 directory
        
        PID:9620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        64⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        63⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621140.bat
        64⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        65⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        65⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        65⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        65⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        64⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621203.bat
        65⤵
        
        PID:5536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        66⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        66⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        66⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        66⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        65⤵
        Executes dropped EXE
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621265.bat
        66⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        67⤵
        Views/modifies file attributes
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        67⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        67⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        67⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        66⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621312.bat
        67⤵
        
        PID:6004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        68⤵
        Views/modifies file attributes
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        68⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        68⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        68⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        67⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621359.bat
        68⤵
        
        PID:5968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        69⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        69⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        69⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        69⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        68⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621390.bat
        69⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        70⤵
        Views/modifies file attributes
        
        PID:7216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        70⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        70⤵
        Views/modifies file attributes
        
        PID:11072
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        69⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621421.bat
        70⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        71⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        71⤵
        Views/modifies file attributes
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        71⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        71⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        70⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621484.bat
        71⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        72⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        72⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        72⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        71⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621500.bat
        72⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        73⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        73⤵
        Drops file in System32 directory
        
        PID:7856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        73⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        73⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        72⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621515.bat
        73⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        74⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        74⤵
        Views/modifies file attributes
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        74⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        74⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        73⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621546.bat
        74⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        75⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        75⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        75⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        75⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        74⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621593.bat
        75⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        76⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        76⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        76⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        75⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621656.bat
        76⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        77⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        77⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        77⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        76⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621687.bat
        77⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        78⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        78⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        78⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        77⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621781.bat
        78⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        79⤵
        Drops file in System32 directory
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        79⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        79⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        78⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621828.bat
        79⤵
        
        PID:7148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        80⤵
        
        PID:752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        80⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        80⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        80⤵
        Drops file in System32 directory
        
        PID:11000
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        79⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240621921.bat
        80⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        81⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        81⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        81⤵
        Drops file in System32 directory
        
        PID:11664
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        80⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622000.bat
        81⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        82⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        82⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        82⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        81⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622015.bat
        82⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        83⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        83⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        83⤵
        
        PID:448
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        82⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622046.bat
        83⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        84⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        84⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        84⤵
        Drops file in System32 directory
        
        PID:10496
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        83⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622062.bat
        84⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        85⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        85⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        85⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        84⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622093.bat
        85⤵
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        86⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        86⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        86⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        86⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        85⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622140.bat
        86⤵
        
        PID:7080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        87⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        87⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        87⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        86⤵
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622203.bat
        87⤵
        
        PID:5876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        88⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        88⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        88⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        88⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        87⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622234.bat
        88⤵
        
        PID:7060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        89⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        89⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        89⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        88⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622281.bat
        89⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        90⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        90⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        90⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        89⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622312.bat
        90⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        91⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        91⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        91⤵
        Drops file in System32 directory
        
        PID:10576
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        90⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622375.bat
        91⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        92⤵
        Views/modifies file attributes
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        92⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        92⤵
        Drops file in System32 directory
        
        PID:11772
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        91⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622406.bat
        92⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        93⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        93⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        93⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        92⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622453.bat
        93⤵
        
        PID:6612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        94⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        94⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        94⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        94⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        93⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622515.bat
        94⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        95⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        95⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        94⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622562.bat
        95⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        96⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        96⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        96⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        95⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622640.bat
        96⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        97⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        97⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        97⤵
        Drops file in System32 directory
        
        PID:11476
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        96⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622671.bat
        97⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        98⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        98⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        98⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        97⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622703.bat
        98⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        99⤵
        Views/modifies file attributes
        
        PID:8436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        99⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        98⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622734.bat
        99⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        100⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        100⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        100⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        99⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622750.bat
        100⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        101⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        101⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        101⤵
        Drops file in System32 directory
        
        PID:10444
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        100⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622812.bat
        101⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        102⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        102⤵
        Drops file in System32 directory
        
        PID:10044
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        101⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240622890.bat
        102⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        103⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        103⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        103⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        102⤵
        Drops file in System32 directory
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623000.bat
        103⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        104⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        104⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        104⤵
        
        PID:12260
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        103⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623062.bat
        104⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        105⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        105⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        104⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623109.bat
        105⤵
        
        PID:7320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        106⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        106⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        105⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623140.bat
        106⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        107⤵
        Views/modifies file attributes
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        107⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        107⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        106⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623171.bat
        107⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        108⤵
        Drops file in System32 directory
        
        PID:8724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        108⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        108⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        107⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623203.bat
        108⤵
        
        PID:7588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        109⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        109⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        109⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        108⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623328.bat
        109⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        110⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        110⤵
        Views/modifies file attributes
        
        PID:10000
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        109⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623359.bat
        110⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        111⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        111⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        110⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623390.bat
        111⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        112⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        112⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        112⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        111⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623453.bat
        112⤵
        
        PID:6452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        113⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        113⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        113⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        112⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623531.bat
        113⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        114⤵
        
        PID:448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        114⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        113⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623562.bat
        114⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        115⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        115⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        114⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623609.bat
        115⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        116⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        116⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        116⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        115⤵
        Drops file in System32 directory
        
        PID:8280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623656.bat
        116⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        117⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        117⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        116⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623703.bat
        117⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        118⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        118⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        117⤵
        Drops file in System32 directory
        
        PID:8576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623734.bat
        118⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        119⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        119⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        118⤵
        Drops file in System32 directory
        
        PID:8640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623812.bat
        119⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        120⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        120⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        120⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        119⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623859.bat
        120⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        121⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        121⤵
        Drops file in System32 directory
        
        PID:10436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        121⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        120⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623921.bat
        121⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        122⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        122⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        121⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240623968.bat
        122⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        123⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        123⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        123⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        122⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624046.bat
        123⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        124⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        124⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        123⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624140.bat
        124⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        125⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        125⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        124⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624203.bat
        125⤵
        
        PID:8620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        126⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        126⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        125⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624312.bat
        126⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        127⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        127⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        127⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        127⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        126⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624328.bat
        127⤵
        
        PID:8908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        128⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        128⤵
        
        PID:10312
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        127⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624421.bat
        128⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        129⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        129⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        128⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624453.bat
        129⤵
        
        PID:7660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        130⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        130⤵
        Views/modifies file attributes
        
        PID:12136
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        129⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624515.bat
        130⤵
        
        PID:6320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        131⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        131⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        131⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        131⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        131⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        130⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624562.bat
        131⤵
        
        PID:6604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        132⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        132⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        132⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        131⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624578.bat
        132⤵
        
        PID:8888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        133⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        133⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        132⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624656.bat
        133⤵
        
        PID:7856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        134⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        134⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        133⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624687.bat
        134⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        135⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        135⤵
        Views/modifies file attributes
        
        PID:11768
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        134⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624734.bat
        135⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        136⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        136⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        135⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624765.bat
        136⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        137⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        137⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        136⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624796.bat
        137⤵
        
        PID:7728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        138⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        138⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        137⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624859.bat
        138⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        139⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        139⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        138⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624906.bat
        139⤵
        
        PID:7700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        140⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        140⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        139⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240624953.bat
        140⤵
        
        PID:8340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        141⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        140⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625000.bat
        141⤵
        
        PID:8368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        142⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        142⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        141⤵
        Drops file in System32 directory
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625046.bat
        142⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        143⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        143⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        142⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625078.bat
        143⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        144⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        143⤵
        Drops file in System32 directory
        
        PID:8680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625171.bat
        144⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        145⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        144⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625250.bat
        145⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        146⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        145⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625375.bat
        146⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        147⤵
        Views/modifies file attributes
        
        PID:10164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        147⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        146⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625453.bat
        147⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        148⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        148⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        147⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625531.bat
        148⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        149⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        149⤵
        Drops file in System32 directory
        
        PID:11920
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        148⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625578.bat
        149⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        150⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        150⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        149⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625609.bat
        150⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        151⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        150⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625687.bat
        151⤵
        
        PID:8352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        152⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        152⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        151⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625750.bat
        152⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        153⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        152⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625796.bat
        153⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        154⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        153⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625859.bat
        154⤵
        
        PID:8852
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        155⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        154⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625906.bat
        155⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        156⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        155⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625937.bat
        156⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        157⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        156⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240625968.bat
        157⤵
        
        PID:7996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        158⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        158⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        157⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626031.bat
        158⤵
        
        PID:9388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        159⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        158⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626078.bat
        159⤵
        
        PID:9648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        160⤵
        Drops file in System32 directory
        
        PID:11672
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        159⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626140.bat
        160⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        161⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        160⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626234.bat
        161⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        162⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        161⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626296.bat
        162⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        163⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        162⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626375.bat
        163⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        164⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        163⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626531.bat
        164⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        165⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        164⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626625.bat
        165⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        166⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        165⤵
        Drops file in System32 directory
        
        PID:11152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626656.bat
        166⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        167⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        166⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626750.bat
        167⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        168⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        167⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626828.bat
        168⤵
        
        PID:10648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        168⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626859.bat
        169⤵
        
        PID:10172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        170⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        169⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626890.bat
        170⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        171⤵
        Drops file in System32 directory
        
        PID:11752
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        170⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626937.bat
        171⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        171⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240626968.bat
        172⤵
        
        PID:11196
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        172⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627031.bat
        173⤵
        
        PID:9508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        174⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        173⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627062.bat
        174⤵
        
        PID:8268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        174⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627109.bat
        175⤵
        
        PID:8260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        176⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        175⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627140.bat
        176⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        176⤵
        Drops file in System32 directory
        
        PID:8556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627265.bat
        177⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        178⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        177⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627296.bat
        178⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        178⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627343.bat
        179⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        179⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627421.bat
        180⤵
        
        PID:9164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        180⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627453.bat
        181⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        181⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627500.bat
        182⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        182⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627546.bat
        183⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        183⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627578.bat
        184⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        184⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627640.bat
        185⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        185⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627765.bat
        186⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        186⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627843.bat
        187⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        187⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627890.bat
        188⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        189⤵
        Views/modifies file attributes
        
        PID:11884
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        188⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627921.bat
        189⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        190⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        190⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        189⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240627953.bat
        190⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        190⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628000.bat
        191⤵
        
        PID:12192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        192⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        191⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628125.bat
        192⤵
        
        PID:9724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        192⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628187.bat
        193⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        193⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628265.bat
        194⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        194⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628296.bat
        195⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ffIGBWD1046.exe" -r -a -s -h
        196⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        195⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628328.bat
        196⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        196⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628421.bat
        197⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        197⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628500.bat
        198⤵
        
        PID:9752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        198⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628562.bat
        199⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        199⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628609.bat
        200⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        200⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\d8008d8e164c240628656.bat
        201⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\ffIGBWD1046.exe
        
        C:\Windows\system32\ffIGBWD1046.exe
        201⤵
        
        PID:8288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ffIGBWD1046.exe

Filesize
2KB

MD5
40ba1455487b1ae8b76c6e89bd20aa1d

SHA1
d76004bb31a5a7a00b950f7349861e346c46cd23

SHA256
2203945283b793cba3d79605d3ffb421b7b74c5d0604885e2797f80e62348eb4

SHA512
0e0142cd26e541dd2ecf2b3ea9612c00773153f2075933e754f84b69dcd84859755a6db81fe73bf67dfd810d6002da2eea8fe1de4cdef4db37aea31550412481

Download Submit
\??\c:\d8008d8e164c240618500.bat

Filesize
332B

MD5
f6289065a794a613e1d2fd49bb17bab1

SHA1
cc15e9bdb1d2a646101bcd49927662ba7d31d55a

SHA256
b75e12a8c76d90d520a6f55c69dce9966233e101e2ffa15b467db976b5467312

SHA512
325e31e45ae19a25d32778d61d80db63926f354deee92641f2ddbe253686194f856810148dbc1db993898ae2f4aea68b32793bc47e57badb0fc32e0472864d95

Download Submit
\??\c:\d8008d8e164c240618531.bat

Filesize
185B

MD5
8d74e1a14bae7ebb712257c74587f767

SHA1
18a943036dbe03393148d76ea78239cb532dbc96

SHA256
efc8c07f895f31a9d4cee35e8a5cf58a865ccaaf255381ce3086ee1dbaa92812

SHA512
f48f622f79111455928d6e34ddc7cca8ec346183bd4966d69aadb4c341c9635ed29f9799589c52b8bbb9b6fbe2bebf90fb96e62ed6fb9c859f49e5f3cf73321e

Download Submit
memory/10820-567-0x00000000769B0000-0x0000000076BC5000-memory.dmp

Filesize
2.1MB

Download