9374b35c70ad7a2cdaec4309c0fc8ca49d692c4e86d379412f06fc55bf64500c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe
Size

5KB
MD5

5f7ed3d9c4bb91dd82349d84196d89cb
SHA1

078e452f528685a8f6c6d83bb3ef6bb3814c31f1
SHA256

9374b35c70ad7a2cdaec4309c0fc8ca49d692c4e86d379412f06fc55bf64500c
SHA512

db8f539b8642d3429daeb80bfbd912f5a6cec3fe8ccd1ca8c88549fd8bbcc21ede9440cae71f7dec4b57f8739a805c8acb409cf6adf5b999da665ccc0927ca58
SSDEEP

96:kX8zuLJ+B+4LJEXs137rs2V1aTaylCAxXFD:YT4L2813noaqCC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3348	ayNNBNNB1042.exe
3408	ayNNBNNB1042.exe
2068	ayNNBNNB1042.exe
3036	ayNNBNNB1042.exe
2052	ayNNBNNB1042.exe
2496	ayNNBNNB1042.exe
4672	ayNNBNNB1042.exe
1164	ayNNBNNB1042.exe
2544	ayNNBNNB1042.exe
1220	ayNNBNNB1042.exe
2164	ayNNBNNB1042.exe
2244	ayNNBNNB1042.exe
1168	ayNNBNNB1042.exe
4852	ayNNBNNB1042.exe
2448	ayNNBNNB1042.exe
3392	ayNNBNNB1042.exe
3140	ayNNBNNB1042.exe
4964	ayNNBNNB1042.exe
1896	ayNNBNNB1042.exe
4076	ayNNBNNB1042.exe
1768	ayNNBNNB1042.exe
4180	ayNNBNNB1042.exe
2348	ayNNBNNB1042.exe
1808	ayNNBNNB1042.exe
4388	ayNNBNNB1042.exe
1104	ayNNBNNB1042.exe
4604	ayNNBNNB1042.exe
3872	ayNNBNNB1042.exe
2312	ayNNBNNB1042.exe
1520	ayNNBNNB1042.exe
4664	ayNNBNNB1042.exe
4416	ayNNBNNB1042.exe
4552	ayNNBNNB1042.exe
3772	ayNNBNNB1042.exe
2364	ayNNBNNB1042.exe
764	ayNNBNNB1042.exe
1808	ayNNBNNB1042.exe
4416	ayNNBNNB1042.exe
1588	ayNNBNNB1042.exe
2348	ayNNBNNB1042.exe
5160	ayNNBNNB1042.exe
5244	ayNNBNNB1042.exe
5368	ayNNBNNB1042.exe
5420	ayNNBNNB1042.exe
5476	ayNNBNNB1042.exe
5640	ayNNBNNB1042.exe
5720	ayNNBNNB1042.exe
5792	ayNNBNNB1042.exe
5840	ayNNBNNB1042.exe
5968	ayNNBNNB1042.exe
6020	ayNNBNNB1042.exe
6140	ayNNBNNB1042.exe
1688	ayNNBNNB1042.exe
5248	ayNNBNNB1042.exe
5516	ayNNBNNB1042.exe
5840	ayNNBNNB1042.exe
6024	ayNNBNNB1042.exe
4708	ayNNBNNB1042.exe
5844	ayNNBNNB1042.exe
5532	ayNNBNNB1042.exe
1688	ayNNBNNB1042.exe
5288	ayNNBNNB1042.exe
5408	ayNNBNNB1042.exe
6236	ayNNBNNB1042.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File created	C:\Windows\SysWOW64\ayNNBNNB1042.exe	ayNNBNNB1042.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ayNNBNNB1042.exe	attrib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 3612	4448	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	86
PID 4448 wrote to memory of 3612	4448	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	86
PID 4448 wrote to memory of 3612	4448	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	86
PID 4448 wrote to memory of 3348	4448	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	87
PID 4448 wrote to memory of 3348	4448	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	87
PID 4448 wrote to memory of 3348	4448	5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe	87
PID 3348 wrote to memory of 3368	3348	ayNNBNNB1042.exe	89
PID 3348 wrote to memory of 3368	3348	ayNNBNNB1042.exe	89
PID 3348 wrote to memory of 3368	3348	ayNNBNNB1042.exe	89
PID 3348 wrote to memory of 3408	3348	ayNNBNNB1042.exe	90
PID 3348 wrote to memory of 3408	3348	ayNNBNNB1042.exe	90
PID 3348 wrote to memory of 3408	3348	ayNNBNNB1042.exe	90
PID 3408 wrote to memory of 984	3408	ayNNBNNB1042.exe	92
PID 3408 wrote to memory of 984	3408	ayNNBNNB1042.exe	92
PID 3408 wrote to memory of 984	3408	ayNNBNNB1042.exe	92
PID 3408 wrote to memory of 2068	3408	ayNNBNNB1042.exe	164
PID 3408 wrote to memory of 2068	3408	ayNNBNNB1042.exe	164
PID 3408 wrote to memory of 2068	3408	ayNNBNNB1042.exe	164
PID 2068 wrote to memory of 1064	2068	ayNNBNNB1042.exe	95
PID 2068 wrote to memory of 1064	2068	ayNNBNNB1042.exe	95
PID 2068 wrote to memory of 1064	2068	ayNNBNNB1042.exe	95
PID 2068 wrote to memory of 3036	2068	ayNNBNNB1042.exe	96
PID 2068 wrote to memory of 3036	2068	ayNNBNNB1042.exe	96
PID 2068 wrote to memory of 3036	2068	ayNNBNNB1042.exe	96
PID 3036 wrote to memory of 1728	3036	ayNNBNNB1042.exe	98
PID 3036 wrote to memory of 1728	3036	ayNNBNNB1042.exe	98
PID 3036 wrote to memory of 1728	3036	ayNNBNNB1042.exe	98
PID 3036 wrote to memory of 2052	3036	ayNNBNNB1042.exe	99
PID 3036 wrote to memory of 2052	3036	ayNNBNNB1042.exe	99
PID 3036 wrote to memory of 2052	3036	ayNNBNNB1042.exe	99
PID 2052 wrote to memory of 3004	2052	ayNNBNNB1042.exe	101
PID 2052 wrote to memory of 3004	2052	ayNNBNNB1042.exe	101
PID 2052 wrote to memory of 3004	2052	ayNNBNNB1042.exe	101
PID 2052 wrote to memory of 2496	2052	ayNNBNNB1042.exe	102
PID 2052 wrote to memory of 2496	2052	ayNNBNNB1042.exe	102
PID 2052 wrote to memory of 2496	2052	ayNNBNNB1042.exe	102
PID 2496 wrote to memory of 3832	2496	ayNNBNNB1042.exe	103
PID 2496 wrote to memory of 3832	2496	ayNNBNNB1042.exe	103
PID 2496 wrote to memory of 3832	2496	ayNNBNNB1042.exe	103
PID 2496 wrote to memory of 4672	2496	ayNNBNNB1042.exe	105
PID 2496 wrote to memory of 4672	2496	ayNNBNNB1042.exe	105
PID 2496 wrote to memory of 4672	2496	ayNNBNNB1042.exe	105
PID 3612 wrote to memory of 3272	3612	cmd.exe	171
PID 3612 wrote to memory of 3272	3612	cmd.exe	171
PID 3612 wrote to memory of 3272	3612	cmd.exe	171
PID 4672 wrote to memory of 1156	4672	ayNNBNNB1042.exe	108
PID 4672 wrote to memory of 1156	4672	ayNNBNNB1042.exe	108
PID 4672 wrote to memory of 1156	4672	ayNNBNNB1042.exe	108
PID 4672 wrote to memory of 1164	4672	ayNNBNNB1042.exe	109
PID 4672 wrote to memory of 1164	4672	ayNNBNNB1042.exe	109
PID 4672 wrote to memory of 1164	4672	ayNNBNNB1042.exe	109
PID 1164 wrote to memory of 2884	1164	ayNNBNNB1042.exe	110
PID 1164 wrote to memory of 2884	1164	ayNNBNNB1042.exe	110
PID 1164 wrote to memory of 2884	1164	ayNNBNNB1042.exe	110
PID 1164 wrote to memory of 2544	1164	ayNNBNNB1042.exe	172
PID 1164 wrote to memory of 2544	1164	ayNNBNNB1042.exe	172
PID 1164 wrote to memory of 2544	1164	ayNNBNNB1042.exe	172
PID 2544 wrote to memory of 2176	2544	ayNNBNNB1042.exe	114
PID 2544 wrote to memory of 2176	2544	ayNNBNNB1042.exe	114
PID 2544 wrote to memory of 2176	2544	ayNNBNNB1042.exe	114
PID 2544 wrote to memory of 1220	2544	ayNNBNNB1042.exe	115
PID 2544 wrote to memory of 1220	2544	ayNNBNNB1042.exe	115
PID 2544 wrote to memory of 1220	2544	ayNNBNNB1042.exe	115
PID 1220 wrote to memory of 4184	1220	ayNNBNNB1042.exe	117

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
11452	Process not Found
7712	attrib.exe
11448	attrib.exe
14116	Process not Found
12112	attrib.exe
6448	attrib.exe
10112	attrib.exe
10632	attrib.exe
13400	Process not Found
8732	attrib.exe
10164	attrib.exe
12864	Process not Found
10768	attrib.exe
14080	Process not Found
12888	Process not Found
4708	attrib.exe
6164	attrib.exe
9176	attrib.exe
10424	attrib.exe
12820	Process not Found
12856	Process not Found
5884	attrib.exe
10480	attrib.exe
11852	Process not Found
10888	attrib.exe
12124	Process not Found
6260	attrib.exe
8416	attrib.exe
8300	attrib.exe
6364	attrib.exe
8784	attrib.exe
12496	Process not Found
10836	attrib.exe
7068	attrib.exe
8876	attrib.exe
13020	Process not Found
9264	attrib.exe
11128	Process not Found
14320	Process not Found
13044	Process not Found
1148	attrib.exe
6140	attrib.exe
10008	attrib.exe
8984	attrib.exe
9328	attrib.exe
13284	Process not Found
9924	attrib.exe
9360	attrib.exe
7028	attrib.exe
7664	attrib.exe
8860	attrib.exe
9512	attrib.exe
10544	attrib.exe
14152	Process not Found
12796	Process not Found
9260	Process not Found
11700	Process not Found
12644	Process not Found
9056	attrib.exe
9020	attrib.exe
11688	attrib.exe
12068	attrib.exe
13684	Process not Found
10140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240645906.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\5f7ed3d9c4bb91dd82349d84196d89cb_JaffaCakes118.exe" -r -a -s -h
    3⤵
    PID:3272
- C:\Windows\SysWOW64\ayNNBNNB1042.exe
  C:\Windows\system32\ayNNBNNB1042.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240645921.bat
    3⤵
    PID:3368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:5304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      Views/modifies file attributes
      PID:6448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:7596
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:8012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:10524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
      4⤵
      PID:11056
- - C:\Windows\SysWOW64\ayNNBNNB1042.exe
    C:\Windows\system32\ayNNBNNB1042.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240645953.bat
      4⤵
      PID:984
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:5340
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:7104
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        Drops file in System32 directory
        
        PID:8396
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        
        PID:9448
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        5⤵
        Views/modifies file attributes
        
        PID:8784
  - - C:\Windows\SysWOW64\ayNNBNNB1042.exe
      C:\Windows\system32\ayNNBNNB1042.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240645968.bat
        5⤵
        
        PID:1064
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        Views/modifies file attributes
        
        PID:1148
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        Drops file in System32 directory
        
        PID:1140
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:6748
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:8716
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:5132
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        6⤵
        
        PID:10848
    - - C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240645984.bat
        6⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        7⤵
        Views/modifies file attributes
        
        PID:10768
      - C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646015.bat
        7⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        8⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646031.bat
        8⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        9⤵
        Drops file in System32 directory
        
        PID:11072
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646078.bat
        9⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        10⤵
        Views/modifies file attributes
        
        PID:11448
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646125.bat
        10⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        Views/modifies file attributes
        
        PID:10008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        11⤵
        Drops file in System32 directory
        
        PID:9424
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646156.bat
        11⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        12⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646187.bat
        12⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        13⤵
        
        PID:11912
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        12⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646234.bat
        13⤵
        
        PID:8
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:4708
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        Views/modifies file attributes
        
        PID:9360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        14⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        13⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646250.bat
        14⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        15⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        14⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646281.bat
        15⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        Views/modifies file attributes
        
        PID:7664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        Views/modifies file attributes
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        16⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        15⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646296.bat
        16⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        Views/modifies file attributes
        
        PID:8732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        17⤵
        
        PID:11508
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        16⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646328.bat
        17⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        18⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        17⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646359.bat
        18⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        Drops file in System32 directory
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        19⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        18⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646390.bat
        19⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        Drops file in System32 directory
        
        PID:8196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        20⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        19⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646421.bat
        20⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        21⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        20⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646453.bat
        21⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        22⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        21⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646484.bat
        22⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        23⤵
        Drops file in System32 directory
        
        PID:10464
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        22⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646515.bat
        23⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        24⤵
        Drops file in System32 directory
        
        PID:11596
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        23⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646546.bat
        24⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        Views/modifies file attributes
        
        PID:9056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        25⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        24⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646578.bat
        25⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        26⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        25⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646640.bat
        26⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        Views/modifies file attributes
        
        PID:7712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        Drops file in System32 directory
        
        PID:9224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        27⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        26⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646718.bat
        27⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        28⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        27⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646734.bat
        28⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:11188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        29⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        28⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646781.bat
        29⤵
        
        PID:116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        Views/modifies file attributes
        
        PID:6364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        30⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:10544
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        29⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646812.bat
        30⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        Drops file in System32 directory
        
        PID:7196
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        31⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        30⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646859.bat
        31⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        32⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        31⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646921.bat
        32⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        33⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        32⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240646984.bat
        33⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        34⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        33⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647000.bat
        34⤵
        
        PID:808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        35⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        34⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647031.bat
        35⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        36⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        35⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647093.bat
        36⤵
        
        PID:2000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        Views/modifies file attributes
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        Views/modifies file attributes
        
        PID:8876
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        37⤵
        Views/modifies file attributes
        
        PID:10140
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        36⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647109.bat
        37⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        38⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647140.bat
        38⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        39⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        38⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647187.bat
        39⤵
        
        PID:1548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        Views/modifies file attributes
        
        PID:7028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        40⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        39⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647546.bat
        40⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        41⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        40⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647593.bat
        41⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        42⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        41⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647640.bat
        42⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        43⤵
        Views/modifies file attributes
        
        PID:10836
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        42⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647671.bat
        43⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        44⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        43⤵
        Executes dropped EXE
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647703.bat
        44⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        45⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        44⤵
        Executes dropped EXE
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647734.bat
        45⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        46⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        45⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647750.bat
        46⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        47⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        46⤵
        Executes dropped EXE
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647812.bat
        47⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        48⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        47⤵
        Executes dropped EXE
        
        PID:5640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647859.bat
        48⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        Views/modifies file attributes
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        49⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        48⤵
        Executes dropped EXE
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647890.bat
        49⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        Views/modifies file attributes
        
        PID:6140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        50⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        49⤵
        Executes dropped EXE
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647906.bat
        50⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        51⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        50⤵
        Executes dropped EXE
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647968.bat
        51⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        52⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        51⤵
        Executes dropped EXE
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240647984.bat
        52⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        53⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        52⤵
        Executes dropped EXE
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648046.bat
        53⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        Drops file in System32 directory
        
        PID:10792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        54⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        53⤵
        Executes dropped EXE
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648078.bat
        54⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        55⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        54⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648093.bat
        55⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        56⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        55⤵
        Executes dropped EXE
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648140.bat
        56⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        Views/modifies file attributes
        
        PID:7068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        57⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        56⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648187.bat
        57⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:6164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        58⤵
        Drops file in System32 directory
        
        PID:12260
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        57⤵
        Executes dropped EXE
        
        PID:5840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648234.bat
        58⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        59⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        58⤵
        Executes dropped EXE
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648281.bat
        59⤵
        
        PID:5480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        Views/modifies file attributes
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        60⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        59⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648343.bat
        60⤵
        
        PID:5504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        61⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        60⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648375.bat
        61⤵
        
        PID:5624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        62⤵
        
        PID:11800
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        61⤵
        Executes dropped EXE
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648390.bat
        62⤵
        
        PID:6084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        63⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        62⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648437.bat
        63⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:10112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        64⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        63⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648500.bat
        64⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        65⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        64⤵
        Executes dropped EXE
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648531.bat
        65⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        66⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        65⤵
        Executes dropped EXE
        
        PID:6236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648578.bat
        66⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        67⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        66⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648625.bat
        67⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        68⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        67⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648656.bat
        68⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        69⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        68⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648687.bat
        69⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        70⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        69⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648734.bat
        70⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        71⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        71⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        71⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        70⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648781.bat
        71⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        Drops file in System32 directory
        
        PID:9172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        72⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        71⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648812.bat
        72⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        73⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        73⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        73⤵
        Views/modifies file attributes
        
        PID:9328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        73⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        73⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        72⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648875.bat
        73⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        74⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        74⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        74⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        74⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        73⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648937.bat
        74⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        75⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        75⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        75⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        75⤵
        
        PID:10976
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        74⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240648984.bat
        75⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        76⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        76⤵
        Views/modifies file attributes
        
        PID:8416
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        76⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        75⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649000.bat
        76⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        77⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        77⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        77⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        77⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        76⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649062.bat
        77⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        78⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        78⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        78⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        78⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        77⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649078.bat
        78⤵
        
        PID:6624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        79⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        79⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        79⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        79⤵
        Views/modifies file attributes
        
        PID:11688
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        78⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649140.bat
        79⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        80⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        80⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        80⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        80⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        79⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649187.bat
        80⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        81⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        81⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        81⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        81⤵
        Drops file in System32 directory
        
        PID:9696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        81⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        80⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649265.bat
        81⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        82⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        82⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        82⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        81⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649359.bat
        82⤵
        
        PID:7100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        83⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        83⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        83⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        83⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        82⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649406.bat
        83⤵
        
        PID:5384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        84⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        84⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        84⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        83⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649421.bat
        84⤵
        
        PID:6816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        85⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        85⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        85⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        84⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649453.bat
        85⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        86⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        86⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        86⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        85⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649484.bat
        86⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        87⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        87⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        87⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        87⤵
        Views/modifies file attributes
        
        PID:12112
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        86⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649562.bat
        87⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        88⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        88⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        88⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        87⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649609.bat
        88⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        89⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        89⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        89⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        88⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649625.bat
        89⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        90⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        90⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        90⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        89⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649671.bat
        90⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        91⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        91⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        91⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        91⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        90⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649750.bat
        91⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        92⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        92⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        92⤵
        Views/modifies file attributes
        
        PID:12068
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        91⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649781.bat
        92⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        93⤵
        Views/modifies file attributes
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        93⤵
        Views/modifies file attributes
        
        PID:9512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        93⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        93⤵
        Drops file in System32 directory
        
        PID:11556
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        92⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649812.bat
        93⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        94⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        94⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        94⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        93⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649859.bat
        94⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        95⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        95⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        95⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        94⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649921.bat
        95⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        96⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        96⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        96⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        96⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        95⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240649984.bat
        96⤵
        
        PID:7440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        97⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        97⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        97⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        96⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650062.bat
        97⤵
        
        PID:6704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        98⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        98⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        98⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        98⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        97⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650078.bat
        98⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        99⤵
        Drops file in System32 directory
        
        PID:8112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        99⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        99⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        98⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650156.bat
        99⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        100⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        100⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        100⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        99⤵
        Drops file in System32 directory
        
        PID:7544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650187.bat
        100⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        101⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        101⤵
        Views/modifies file attributes
        
        PID:9264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        101⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        100⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650218.bat
        101⤵
        
        PID:8104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        102⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        102⤵
        Drops file in System32 directory
        
        PID:9164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        102⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        102⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        101⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650265.bat
        102⤵
        
        PID:8148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        103⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        103⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        103⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        102⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650328.bat
        103⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        104⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        104⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        104⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        103⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650359.bat
        104⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        105⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        105⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        105⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        104⤵
        Drops file in System32 directory
        
        PID:7940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650375.bat
        105⤵
        
        PID:7196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        106⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        106⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        105⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650515.bat
        106⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        107⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        107⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        107⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        106⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650562.bat
        107⤵
        
        PID:8120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        108⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        108⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        108⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        107⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650593.bat
        108⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        109⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        109⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        109⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        108⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650656.bat
        109⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        110⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        110⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        109⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650718.bat
        110⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        111⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        111⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        111⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        110⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650750.bat
        111⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        112⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        112⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        111⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650781.bat
        112⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        113⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        113⤵
        Views/modifies file attributes
        
        PID:10632
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        112⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650812.bat
        113⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        114⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        114⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        114⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        113⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650859.bat
        114⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        115⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        115⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        115⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        114⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650890.bat
        115⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        116⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        116⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        116⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        115⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240650968.bat
        116⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        117⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        117⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        116⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651015.bat
        117⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        118⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        118⤵
        Drops file in System32 directory
        
        PID:8800
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        117⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651062.bat
        118⤵
        
        PID:9184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        119⤵
        Views/modifies file attributes
        
        PID:8300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        119⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        118⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651140.bat
        119⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        120⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        120⤵
        Drops file in System32 directory
        
        PID:9764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        120⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        119⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651171.bat
        120⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        121⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        121⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        121⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        120⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651250.bat
        121⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        122⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        122⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        121⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651296.bat
        122⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        123⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        123⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        122⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651312.bat
        123⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        124⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        124⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        123⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651421.bat
        124⤵
        
        PID:8792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        125⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        125⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        124⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651546.bat
        125⤵
        
        PID:7536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        126⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        126⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        126⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        125⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651609.bat
        126⤵
        
        PID:8452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        127⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:9924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        127⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        126⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651687.bat
        127⤵
        
        PID:8896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        128⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        128⤵
        Views/modifies file attributes
        
        PID:10164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        128⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        128⤵
        
        PID:12016
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        127⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651718.bat
        128⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        129⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        129⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        128⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651828.bat
        129⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        130⤵
        Views/modifies file attributes
        
        PID:10424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        130⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        129⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651906.bat
        130⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        131⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        131⤵
        Views/modifies file attributes
        
        PID:9020
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        130⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240651968.bat
        131⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        132⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        132⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        131⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652015.bat
        132⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        133⤵
        Drops file in System32 directory
        
        PID:9680
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        133⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        132⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652046.bat
        133⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        134⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        133⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652140.bat
        134⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        135⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        134⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652218.bat
        135⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        136⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        135⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652265.bat
        136⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        137⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        136⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652328.bat
        137⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        138⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        138⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        137⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652390.bat
        138⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        139⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        138⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652421.bat
        139⤵
        
        PID:9332
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        140⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        140⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        139⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652453.bat
        140⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        141⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        140⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652500.bat
        141⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        142⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        142⤵
        Drops file in System32 directory
        
        PID:11392
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        141⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652593.bat
        142⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        143⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        142⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652671.bat
        143⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        144⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        143⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652734.bat
        144⤵
        
        PID:4212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        145⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        145⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        144⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652796.bat
        145⤵
        
        PID:9400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        146⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        146⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        145⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652828.bat
        146⤵
        
        PID:8176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        147⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        146⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652953.bat
        147⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        148⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        147⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240652984.bat
        148⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        149⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        148⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653093.bat
        149⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        150⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        149⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653156.bat
        150⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        151⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        150⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653250.bat
        151⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        152⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        151⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653312.bat
        152⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        153⤵
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:10480
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        152⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653375.bat
        153⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        154⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        153⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653453.bat
        154⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        155⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        154⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653593.bat
        155⤵
        
        PID:11144
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        156⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        155⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653625.bat
        156⤵
        
        PID:11224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        157⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        156⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653687.bat
        157⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        158⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        157⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653734.bat
        158⤵
        
        PID:9284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        159⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        158⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653796.bat
        159⤵
        
        PID:10752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        160⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        159⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653828.bat
        160⤵
        
        PID:8856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        161⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        160⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653906.bat
        161⤵
        
        PID:10392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        162⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        161⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240653937.bat
        162⤵
        
        PID:11200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        163⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        162⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654015.bat
        163⤵
        
        PID:8900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        164⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        164⤵
        Views/modifies file attributes
        
        PID:10888
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        163⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654046.bat
        164⤵
        
        PID:9520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        165⤵
        
        PID:11404
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        164⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654078.bat
        165⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        166⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        165⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654171.bat
        166⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        167⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        166⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654203.bat
        167⤵
        
        PID:10148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        168⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        167⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654281.bat
        168⤵
        
        PID:9888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        169⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        168⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654312.bat
        169⤵
        
        PID:10532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        170⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        170⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        169⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654390.bat
        170⤵
        
        PID:8988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        170⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654468.bat
        171⤵
        
        PID:8876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:10304
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\ayNNBNNB1042.exe" -r -a -s -h
        172⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        171⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654531.bat
        172⤵
        
        PID:11236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        172⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654546.bat
        173⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        173⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654593.bat
        174⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        174⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654625.bat
        175⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        175⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654687.bat
        176⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        176⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654734.bat
        177⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        177⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654828.bat
        178⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        178⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240654953.bat
        179⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        179⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655000.bat
        180⤵
        
        PID:11516
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        180⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655031.bat
        181⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        181⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655062.bat
        182⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        182⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655156.bat
        183⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        183⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655234.bat
        184⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        184⤵
        
        PID:12104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655328.bat
        185⤵
        
        PID:8992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        185⤵
        Drops file in System32 directory
        
        PID:10172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655359.bat
        186⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        186⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655406.bat
        187⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        187⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655484.bat
        188⤵
        
        PID:12164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        188⤵
        Drops file in System32 directory
        
        PID:11716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655546.bat
        189⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        189⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655671.bat
        190⤵
        
        PID:11172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        190⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\ca69b18ee8c2240655734.bat
        191⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\ayNNBNNB1042.exe
        
        C:\Windows\system32\ayNNBNNB1042.exe
        191⤵
        
        PID:11368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ayNNBNNB1042.exe

Filesize
5KB

MD5
5f7ed3d9c4bb91dd82349d84196d89cb

SHA1
078e452f528685a8f6c6d83bb3ef6bb3814c31f1

SHA256
9374b35c70ad7a2cdaec4309c0fc8ca49d692c4e86d379412f06fc55bf64500c

SHA512
db8f539b8642d3429daeb80bfbd912f5a6cec3fe8ccd1ca8c88549fd8bbcc21ede9440cae71f7dec4b57f8739a805c8acb409cf6adf5b999da665ccc0927ca58

Download Submit
C:\ca69b18ee8c2240645968.bat

Filesize
188B

MD5
75113f7107065a77bc3c8f9290b491c3

SHA1
628b26bde0d78a600dec22ae1f394c8ef17b716a

SHA256
9e093d2721685541b22da286491f1c642bd365621e51f8159a81217644712c21

SHA512
473828b3f1a0a2e390d69206a4cba04d6447b37a44a1537462ab1af0692deb91aa11da96ac1268988bfa1cac3f2b8fb4dc3e35f52bbd394d4cac306885ade067

Download Submit
\??\c:\ca69b18ee8c2240645906.bat

Filesize
332B

MD5
6a19b77cd59cec5428b8ac58388dd411

SHA1
88cd1c1be55c17b64b2b89770e39695589c3b6f5

SHA256
2072c9e0b6080fea1125ecee23d7ed34e22e77555ea1a4d60674d001d116e521

SHA512
dee016eaad673334121660b59dc31ca1795c2fbf27fa74860ccae5e3b802571dbe0ae7ec43fa4db85604ff7fa8e3e1d81dc1c483c36fa76e18c08aaa924a6360

Download Submit