9374b35c70ad7a2cdaec4309c0fc8ca49d692c4e86d379412f06fc55bf64500c

Analysis

max time kernel
67s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe
Size

5KB
MD5

5f7ed3d9c4bb91dd82349d84196d89cb
SHA1

078e452f528685a8f6c6d83bb3ef6bb3814c31f1
SHA256

9374b35c70ad7a2cdaec4309c0fc8ca49d692c4e86d379412f06fc55bf64500c
SHA512

db8f539b8642d3429daeb80bfbd912f5a6cec3fe8ccd1ca8c88549fd8bbcc21ede9440cae71f7dec4b57f8739a805c8acb409cf6adf5b999da665ccc0927ca58
SSDEEP

96:kX8zuLJ+B+4LJEXs137rs2V1aTaylCAxXFD:YT4L2813noaqCC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2164	ayNNBNNB1042.exe
2688	ayNNBNNB1042.exe
2692	ayNNBNNB1042.exe
2664	ayNNBNNB1042.exe
3000	ayNNBNNB1042.exe
1372	ayNNBNNB1042.exe
1684	ayNNBNNB1042.exe
2336	ayNNBNNB1042.exe
1688	ayNNBNNB1042.exe
1060	ayNNBNNB1042.exe
1552	ayNNBNNB1042.exe
876	ayNNBNNB1042.exe
2748	ayNNBNNB1042.exe
1612	ayNNBNNB1042.exe
2200	ayNNBNNB1042.exe
2692	ayNNBNNB1042.exe
2808	ayNNBNNB1042.exe
1140	ayNNBNNB1042.exe
956	ayNNBNNB1042.exe
1440	ayNNBNNB1042.exe
2080	ayNNBNNB1042.exe
2328	ayNNBNNB1042.exe
704	ayNNBNNB1042.exe
2584	ayNNBNNB1042.exe
2792	ayNNBNNB1042.exe
572	ayNNBNNB1042.exe
1584	ayNNBNNB1042.exe
1232	ayNNBNNB1042.exe
876	ayNNBNNB1042.exe
1612	ayNNBNNB1042.exe
2896	ayNNBNNB1042.exe
1244	ayNNBNNB1042.exe
1548	ayNNBNNB1042.exe
1276	ayNNBNNB1042.exe
368	ayNNBNNB1042.exe
1772	ayNNBNNB1042.exe
872	ayNNBNNB1042.exe
1708	ayNNBNNB1042.exe
2284	ayNNBNNB1042.exe
1596	ayNNBNNB1042.exe
2820	ayNNBNNB1042.exe
2064	ayNNBNNB1042.exe
2568	ayNNBNNB1042.exe
1276	ayNNBNNB1042.exe
880	ayNNBNNB1042.exe
2668	ayNNBNNB1042.exe
2520	ayNNBNNB1042.exe
888	ayNNBNNB1042.exe
2408	ayNNBNNB1042.exe
2036	ayNNBNNB1042.exe
1464	ayNNBNNB1042.exe
2408	ayNNBNNB1042.exe
1684	ayNNBNNB1042.exe
3156	ayNNBNNB1042.exe
3536	ayNNBNNB1042.exe
3928	ayNNBNNB1042.exe
1156	ayNNBNNB1042.exe
3344	ayNNBNNB1042.exe
3576	ayNNBNNB1042.exe
3980	ayNNBNNB1042.exe
880	ayNNBNNB1042.exe
3528	ayNNBNNB1042.exe
560	ayNNBNNB1042.exe
1156	ayNNBNNB1042.exe

Loads dropped DLL 64 IoCs

pid	Process
2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe
2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe
2164	ayNNBNNB1042.exe
2164	ayNNBNNB1042.exe
2688	ayNNBNNB1042.exe
2688	ayNNBNNB1042.exe
2692	ayNNBNNB1042.exe
2692	ayNNBNNB1042.exe
2664	ayNNBNNB1042.exe
2664	ayNNBNNB1042.exe
3000	ayNNBNNB1042.exe
3000	ayNNBNNB1042.exe
1372	ayNNBNNB1042.exe
1372	ayNNBNNB1042.exe
1684	ayNNBNNB1042.exe
1684	ayNNBNNB1042.exe
2336	ayNNBNNB1042.exe
2336	ayNNBNNB1042.exe
1688	ayNNBNNB1042.exe
1688	ayNNBNNB1042.exe
1060	ayNNBNNB1042.exe
1060	ayNNBNNB1042.exe
1552	ayNNBNNB1042.exe
1552	ayNNBNNB1042.exe
876	ayNNBNNB1042.exe
876	ayNNBNNB1042.exe
2748	ayNNBNNB1042.exe
2748	ayNNBNNB1042.exe
1612	ayNNBNNB1042.exe
1612	ayNNBNNB1042.exe
2200	ayNNBNNB1042.exe
2200	ayNNBNNB1042.exe
2692	ayNNBNNB1042.exe
2692	ayNNBNNB1042.exe
2808	ayNNBNNB1042.exe
2808	ayNNBNNB1042.exe
1140	ayNNBNNB1042.exe
1140	ayNNBNNB1042.exe
956	ayNNBNNB1042.exe
956	ayNNBNNB1042.exe
1440	ayNNBNNB1042.exe
1440	ayNNBNNB1042.exe
2080	ayNNBNNB1042.exe
2080	ayNNBNNB1042.exe
2328	ayNNBNNB1042.exe
2328	ayNNBNNB1042.exe
704	ayNNBNNB1042.exe
704	ayNNBNNB1042.exe
2584	ayNNBNNB1042.exe
2584	ayNNBNNB1042.exe
2792	ayNNBNNB1042.exe
2792	ayNNBNNB1042.exe
572	ayNNBNNB1042.exe
572	ayNNBNNB1042.exe
1584	ayNNBNNB1042.exe
1584	ayNNBNNB1042.exe
1232	ayNNBNNB1042.exe
1232	ayNNBNNB1042.exe
876	ayNNBNNB1042.exe
876	ayNNBNNB1042.exe
1612	ayNNBNNB1042.exe
1612	ayNNBNNB1042.exe
2896	ayNNBNNB1042.exe
2896	ayNNBNNB1042.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1244	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1244	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1244	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1244	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2164	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2164	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2164	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	33
PID 2476 wrote to memory of 2164	2476	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2632	2164	ayNNBNNB1042.exe	34
PID 2164 wrote to memory of 2632	2164	ayNNBNNB1042.exe	34
PID 2164 wrote to memory of 2632	2164	ayNNBNNB1042.exe	34
PID 2164 wrote to memory of 2632	2164	ayNNBNNB1042.exe	34
PID 2164 wrote to memory of 2688	2164	ayNNBNNB1042.exe	35
PID 2164 wrote to memory of 2688	2164	ayNNBNNB1042.exe	35
PID 2164 wrote to memory of 2688	2164	ayNNBNNB1042.exe	35
PID 2164 wrote to memory of 2688	2164	ayNNBNNB1042.exe	35
PID 1244 wrote to memory of 3060	1244	cmd.exe	37
PID 1244 wrote to memory of 3060	1244	cmd.exe	37
PID 1244 wrote to memory of 3060	1244	cmd.exe	37
PID 1244 wrote to memory of 3060	1244	cmd.exe	37
PID 2632 wrote to memory of 2812	2632	cmd.exe	128
PID 2632 wrote to memory of 2812	2632	cmd.exe	128
PID 2632 wrote to memory of 2812	2632	cmd.exe	128
PID 2632 wrote to memory of 2812	2632	cmd.exe	128
PID 2688 wrote to memory of 2776	2688	ayNNBNNB1042.exe	39
PID 2688 wrote to memory of 2776	2688	ayNNBNNB1042.exe	39
PID 2688 wrote to memory of 2776	2688	ayNNBNNB1042.exe	39
PID 2688 wrote to memory of 2776	2688	ayNNBNNB1042.exe	39
PID 2688 wrote to memory of 2692	2688	ayNNBNNB1042.exe	129
PID 2688 wrote to memory of 2692	2688	ayNNBNNB1042.exe	129
PID 2688 wrote to memory of 2692	2688	ayNNBNNB1042.exe	129
PID 2688 wrote to memory of 2692	2688	ayNNBNNB1042.exe	129
PID 2692 wrote to memory of 2548	2692	ayNNBNNB1042.exe	42
PID 2692 wrote to memory of 2548	2692	ayNNBNNB1042.exe	42
PID 2692 wrote to memory of 2548	2692	ayNNBNNB1042.exe	42
PID 2692 wrote to memory of 2548	2692	ayNNBNNB1042.exe	42
PID 2692 wrote to memory of 2664	2692	ayNNBNNB1042.exe	43
PID 2692 wrote to memory of 2664	2692	ayNNBNNB1042.exe	43
PID 2692 wrote to memory of 2664	2692	ayNNBNNB1042.exe	43
PID 2692 wrote to memory of 2664	2692	ayNNBNNB1042.exe	43
PID 2664 wrote to memory of 2600	2664	ayNNBNNB1042.exe	45
PID 2664 wrote to memory of 2600	2664	ayNNBNNB1042.exe	45
PID 2664 wrote to memory of 2600	2664	ayNNBNNB1042.exe	45
PID 2664 wrote to memory of 2600	2664	ayNNBNNB1042.exe	45
PID 2664 wrote to memory of 3000	2664	ayNNBNNB1042.exe	202
PID 2664 wrote to memory of 3000	2664	ayNNBNNB1042.exe	202
PID 2664 wrote to memory of 3000	2664	ayNNBNNB1042.exe	202
PID 2664 wrote to memory of 3000	2664	ayNNBNNB1042.exe	202
PID 2632 wrote to memory of 2984	2632	cmd.exe	178
PID 2632 wrote to memory of 2984	2632	cmd.exe	178
PID 2632 wrote to memory of 2984	2632	cmd.exe	178
PID 2632 wrote to memory of 2984	2632	cmd.exe	178
PID 3000 wrote to memory of 1952	3000	ayNNBNNB1042.exe	49
PID 3000 wrote to memory of 1952	3000	ayNNBNNB1042.exe	49
PID 3000 wrote to memory of 1952	3000	ayNNBNNB1042.exe	49
PID 3000 wrote to memory of 1952	3000	ayNNBNNB1042.exe	49
PID 3000 wrote to memory of 1372	3000	ayNNBNNB1042.exe	50
PID 3000 wrote to memory of 1372	3000	ayNNBNNB1042.exe	50
PID 3000 wrote to memory of 1372	3000	ayNNBNNB1042.exe	50
PID 3000 wrote to memory of 1372	3000	ayNNBNNB1042.exe	50
PID 2632 wrote to memory of 552	2632	cmd.exe	214
PID 2632 wrote to memory of 552	2632	cmd.exe	214
PID 2632 wrote to memory of 552	2632	cmd.exe	214
PID 2632 wrote to memory of 552	2632	cmd.exe	214

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4660	Process not Found
4424	Process not Found
4064	Process not Found
2448	Process not Found
4056	Process not Found
4820	Process not Found
4704	Process not Found
3888	attrib.exe
3392	attrib.exe
4752	Process not Found
4656	Process not Found
5060	Process not Found
3492	Process not Found
4016	Process not Found
6040	Process not Found
3432	attrib.exe
3852	Process not Found
4364	Process not Found
4008	Process not Found
2872	Process not Found
2064	Process not Found
4444	Process not Found
3536	attrib.exe
1780	Process not Found
1720	Process not Found
4268	Process not Found
5952	Process not Found
2880	Process not Found
3476	attrib.exe
3688	attrib.exe
2080	Process not Found
4088	Process not Found
4456	Process not Found
4456	Process not Found
3284	Process not Found
3296	Process not Found
4264	Process not Found
4040	attrib.exe
4052	attrib.exe
4220	Process not Found
2108	Process not Found
3136	Process not Found
3800	Process not Found
1720	Process not Found
5884	Process not Found
3140	Process not Found
3140	Process not Found
4264	Process not Found
1152	attrib.exe
3296	attrib.exe
3768	Process not Found
4380	Process not Found
4564	Process not Found
4192	Process not Found
4252	Process not Found
3708	attrib.exe
3652	Process not Found
4244	Process not Found
4304	Process not Found
2012	Process not Found
3700	Process not Found
6088	Process not Found
3616	Process not Found
3764	Process not Found

C:\Users\Admin\AppData\Local\Temp\5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\ca69b18ee8c2259455168.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:3060
- C:\Windows\SysWOW64\ayNNBNNB1042.exe
  C:\Windows\system32\ayNNBNNB1042.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\ca69b18ee8c2259455246.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3316
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3136
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3740
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:1456
- - C:\Windows\SysWOW64\ayNNBNNB1042.exe
    C:\Windows\system32\ayNNBNNB1042.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\ca69b18ee8c2259455324.bat
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:964
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:316
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:3500
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3728
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3660
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:1148
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:3988
  - - C:\Windows\SysWOW64\ayNNBNNB1042.exe
      C:\Windows\system32\ayNNBNNB1042.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455387.bat
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:1128
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:940
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:936
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:612
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:628
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3080
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3740
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:2000
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3668
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:2708
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3704
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3836
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3368
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:4092
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3116
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:3284
    - - C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455434.bat
        6⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        Drops file in System32 directory
        
        PID:572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:3684
      - C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455480.bat
        7⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455527.bat
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455636.bat
        9⤵
        
        PID:840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455886.bat
        10⤵
        
        PID:784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259455995.bat
        11⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456073.bat
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:572
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456385.bat
        13⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456588.bat
        14⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:880
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456604.bat
        15⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456650.bat
        16⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456697.bat
        17⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456744.bat
        18⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456760.bat
        19⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456822.bat
        20⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456853.bat
        21⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456884.bat
        22⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456931.bat
        23⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        Views/modifies file attributes
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456962.bat
        24⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259456994.bat
        25⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457025.bat
        26⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457072.bat
        27⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457118.bat
        28⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457150.bat
        29⤵
        
        PID:628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457196.bat
        30⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457228.bat
        31⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457259.bat
        32⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457290.bat
        33⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        Views/modifies file attributes
        
        PID:3476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        33⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457337.bat
        34⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        Views/modifies file attributes
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        34⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457399.bat
        35⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        35⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457508.bat
        36⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        36⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457555.bat
        37⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        Views/modifies file attributes
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        37⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457586.bat
        38⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        38⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457633.bat
        39⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        39⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457664.bat
        40⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        40⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457696.bat
        41⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        41⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457727.bat
        42⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        42⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457774.bat
        43⤵
        
        PID:552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        43⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457805.bat
        44⤵
        
        PID:956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        Views/modifies file attributes
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        44⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457867.bat
        45⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        Views/modifies file attributes
        
        PID:3688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        Views/modifies file attributes
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        45⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457930.bat
        46⤵
        
        PID:844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        46⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259457976.bat
        47⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        47⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458023.bat
        48⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458070.bat
        49⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        Views/modifies file attributes
        
        PID:3888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        49⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458117.bat
        50⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        50⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458179.bat
        51⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        51⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458242.bat
        52⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        52⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458257.bat
        53⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        53⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458351.bat
        54⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        54⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259458382.bat
        55⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        55⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259460285.bat
        56⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        56⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259461346.bat
        57⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        57⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259462984.bat
        58⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        58⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259464107.bat
        59⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        59⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259465262.bat
        60⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        Views/modifies file attributes
        
        PID:3536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        60⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259466603.bat
        61⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        61⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259468319.bat
        62⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        Views/modifies file attributes
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        Views/modifies file attributes
        
        PID:4040
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        62⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259469817.bat
        63⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        Drops file in System32 directory
        
        PID:3340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        63⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259471424.bat
        64⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        64⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259472765.bat
        65⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        65⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259474372.bat
        66⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        66⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259475402.bat
        67⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        67⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259477118.bat
        68⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        68⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259478412.bat
        69⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        69⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259479988.bat
        70⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        71⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        71⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        70⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259482016.bat
        71⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        71⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259483514.bat
        72⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        73⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        72⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\ca69b18ee8c2259485011.bat
        73⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        73⤵
        Drops file in System32 directory
        
        PID:3232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1660251482161699588281442720-978930660-1487412754-10741204841662741150119844795"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17241777356443680311003361328-1085646322-314058055-554844029-128711130440010767"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "441435126912187397-10428290011890131725-143559166-5690315401929992461518720714"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "499159797-1844140706-476760747-19792832921033303471-8956515465312407971895719096"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1429189912-1391780605-1937150512377270774-1729207993782026900887981481791540678"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8415291587155670476447530201344843890139395969252818692118501228521784039853"
1⤵
PID:432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1002992915-1548295975-1067194250970610321-1272947346-13303039491080047558-950107417"
1⤵
PID:368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1940188294-1992325422-235040003-6368578491699834756-93432196979117391-812305735"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1391330921181940539-1585134462-9011696431954292821-18285842668900300701338936357"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "176825038832849793872986668-1784756272-1577075785486016050-990124332-1927893094"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1375277811464020619-14671319591441906937-1831255803-166479437819243545181201108852"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1303229125883944611-5413224361691029520100067641918450388081821676723-306780957"
1⤵
PID:4076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1089483708-1007023521-20875304218588269282024741007381719045-989140243-465094294"
1⤵
PID:3672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-123679825213035027421918879207-1101923600-1099755103799470424-49096459879363410"
1⤵
PID:3420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "943530631149143406125448483317362327026358557101760013757-36665514-334777304"
1⤵
PID:3328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14892523541056341598-4161079431306020011567703453-1554357686-1936628792-427458524"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "983027870636468236-122935339113703075621876955706-7579508071449427593319698337"
1⤵
PID:3576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141776678905394610-2035670008-284204796561980459405377272-257566283982826968"
1⤵
PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ca69b18ee8c2259455168.bat

Filesize
332B

MD5
6a19b77cd59cec5428b8ac58388dd411

SHA1
88cd1c1be55c17b64b2b89770e39695589c3b6f5

SHA256
2072c9e0b6080fea1125ecee23d7ed34e22e77555ea1a4d60674d001d116e521

SHA512
dee016eaad673334121660b59dc31ca1795c2fbf27fa74860ccae5e3b802571dbe0ae7ec43fa4db85604ff7fa8e3e1d81dc1c483c36fa76e18c08aaa924a6360

Download Submit
C:\ca69b18ee8c2259455246.bat

Filesize
188B

MD5
75113f7107065a77bc3c8f9290b491c3

SHA1
628b26bde0d78a600dec22ae1f394c8ef17b716a

SHA256
9e093d2721685541b22da286491f1c642bd365621e51f8159a81217644712c21

SHA512
473828b3f1a0a2e390d69206a4cba04d6447b37a44a1537462ab1af0692deb91aa11da96ac1268988bfa1cac3f2b8fb4dc3e35f52bbd394d4cac306885ade067

Download Submit
\Windows\SysWOW64\ayNNBNNB1042.exe

Filesize
5KB

MD5
5f7ed3d9c4bb91dd82349d84196d89cb

SHA1
078e452f528685a8f6c6d83bb3ef6bb3814c31f1

SHA256
9374b35c70ad7a2cdaec4309c0fc8ca49d692c4e86d379412f06fc55bf64500c

SHA512
db8f539b8642d3429daeb80bfbd912f5a6cec3fe8ccd1ca8c88549fd8bbcc21ede9440cae71f7dec4b57f8739a805c8acb409cf6adf5b999da665ccc0927ca58

Download Submit